Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It’s both. 2.17 was a fraudulent release, the release manager is now Chair of the PMC.

As I tell everyone else- don’t trust their releases.



As of Valentines Day, what existed in svn‘s apreq/trunk is kosher, because I’ve personally vetted it.

Nothing else is.


As I tell all my longstanding Apache friends, being involved with the foundation was transformational for me.

But at the same time, F/OSS has transformed into a loss leader for FAANGM monopolies, which coincides neatly with the timeline presented.


2.17 was released in Aug 2022. Here's the changes file: https://httpd.apache.org/apreq/docs/libapreq2/apreq_changes....

Here's the bugtraq event about it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018191

Does any of this make sense to you? Nobody who looks in the changes file has any idea the last three releases involved CVE issues. Not only are they purposefully obscured, the release itself contains undocumented bogus parser changes that were papered over during candidate voting.


What I would have done differently:

1/ report the Google Fuzz Report to the actual development team, to coordinate and collaborate on a solution.

2/ not take three whacks at a security release just to fix the same vulnerability

3/ not attempt to ship whimsical patches in a security release

4/ not patch the test suite to lie to voters about the viability of a release candidate.

5/ ship a hotfix immediately after users report the bugs on 2.17




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: