1 APACHE 2.4 STATUS: -*- mode: text; coding: utf-8 -*-
2 Last modified at [$Date$]
4 The current version of this file can be found at:
6 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/STATUS
8 Documentation status is maintained separately and can be found at:
10 * docs/STATUS in this source tree, or
11 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/docs/STATUS
13 The current development branch of this software can be found at:
15 * http://svn.apache.org/repos/asf/httpd/httpd/trunk
17 Consult the following STATUS files for information on related projects:
19 * http://svn.apache.org/repos/asf/apr/apr/trunk/STATUS
20 * http://svn.apache.org/repos/asf/apr/apr/branches/1.4.x/STATUS
21 * http://svn.apache.org/repos/asf/apr/apr-util/branches/1.4.x/STATUS
22 * http://svn.apache.org/repos/asf/apr/apr/branches/1.5.x/STATUS
23 * http://svn.apache.org/repos/asf/apr/apr-util/branches/1.5.x/STATUS
25 Patches considered for backport are noted in their branches' STATUS:
27 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/STATUS
28 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/STATUS
29 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/STATUS
34 [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
35 while x.{even}.z versions are Stable/GA releases.]
37 2.4.23 : In development.
38 2.4.22 : Tagged on June 20, 2016, not released.
39 2.4.21 : Tagged on June 16, 2016, not released.
40 2.4.20 : Tagged on April 4, 2016. Released on April 11, 2016.
41 2.4.19 : Tagged on March 21, 2016, not released.
42 2.4.18 : Tagged on December 8, 2015. Released on December 14, 2015.
43 2.4.17 : Tagged on October 9, 2015. Released October 13, 2015.
44 2.4.16 : Tagged on July 9, 2015. Released July 15, 2015
45 2.4.15 : Tagged on June 19, 2015. Not released.
46 2.4.14 : Tagged on June 11, 2015. Not released.
47 2.4.13 : Tagged on June 4, 2015. Not released.
48 2.4.12 : Tagged on January 22, 2015. Released Jan 29, 2015
49 2.4.11 : Tagged on January 15, 2015. Not released.
50 2.4.10 : Tagged on July 15, 2014. Released July 21, 2014
51 2.4.9 : Tagged on March 13, 2014. Released on March 17, 2014
52 2.4.8 : Tagged on March 11, 2014. Not released.
53 2.4.7 : Tagged on November 19, 2013. Released on Nov 25, 2013
54 2.4.6 : Tagged on July 15, 2013. Released July, 22, 2013
55 2.4.5 : Tagged on July 11, 2013, not released.
56 2.4.4 : Tagged on February 18, 2013. Released Feb 25, 2013
57 2.4.3 : Tagged on August 17, 2012. Released Aug 18, 2012
58 2.4.2 : Tagged on April 5, 2012. Released Apr 17, 2012.
59 2.4.1 : Tagged on February 13, 2012. Released Feb 21, 2012.
60 2.4.0 : Tagged on January 16, 2012, not released.
61 2.3.16 : Tagged on December 15, 2011.
62 2.3.15 : Tagged on November 8, 2011. Released Nov. 15, 2011.
63 2.3.14 : Tagged on August 1, 2011. Released Aug. 9, 2011.
64 2.3.13 : Tagged on June 28, 2011, not released.
65 2.3.12 : Tagged on May 11, 2011. Released May 23, 2011.
66 2.3.11 : Released as Beta on March 7, 2011.
67 2.3.10 : Tagged on December 13, 2010. Released Dec 21, 2010.
68 2.3.9 : Tagged on November 23, 2010, not released.
69 2.3.8 : Tagged on August 24, 2010.
70 2.3.7 : Tagged on August 19, 2010, not released.
71 2.3.6 : Released on June 21, 2010.
72 2.3.5 : Released on January 26, 2010.
73 2.3.4 : Released on December 8, 2009.
74 2.3.3 : Tagged on November 11, 2009, not released.
75 2.3.2 : Tagged on March 23, 2009, not released.
76 2.3.1 : Tagged on January 2, 2009, not released.
77 2.3.0 : Tagged on December 6, 2008, not released.
79 Contributors looking for a mission:
81 * Just do an egrep on "TODO" or "XXX" in the source.
83 * Review the bug database at: http://issues.apache.org/bugzilla/
85 * Review the "PatchAvailable" bugs in the bug database:
87 https://issues.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&product=Apache+httpd-2&keywords=PatchAvailable
89 After testing, you can append a comment saying "Reviewed and tested".
91 * Open bugs in the bug database.
93 * See also the STATUS file in the docs/ directory, which lists documentation-specific TODO items.
96 CURRENT RELEASE NOTES:
98 * Forward binary compatibility is expected of Apache 2.4.x releases, such
99 that no MMN major number changes will occur after 2.4.1. Such changes can
100 only be made in the trunk.
102 * All commits to branches/2.4.x must be reflected in SVN trunk,
103 as well, if they apply. Logical progression is commit to trunk
104 then merge into branches/2.4.x, as applicable.
106 * Current exceptions for RTC for this branch:
111 . non-Unix, single-platform code
113 RELEASE SHOWSTOPPERS:
116 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
117 [ start all new proposals below, under PATCHES PROPOSED. ]
119 *) mod_sed: Fix 'x' command processing
120 trunk patch: http://svn.apache.org/r1749401
121 http://svn.apache.org/r1749404 (CHANGES entry)
122 2.4.x: trunk patch works
123 +1: jailletc36, rpluem, ylavic
125 *) mod_proxy: Replace the logic for selecting proxy sub-modules, retaining
126 the 2.4.x legacy behavior, by elevating the module selection to 'most'
127 through all proxy_* sub-module configuration tests, and apply the same
128 static or shared linkage of mod_proxy to each sub-module not otherwise
129 explicitly marked static or shared. By dropping the default 'yes' toggle,
130 this patch ensures we will no longer abort the configuration when failing
131 to enable a module for missing dependencies.
132 trunk patch: http://svn.apache.org/r1750043
133 2.4.x: https://raw.githubusercontent.com/wrowe/patches/master/proxy-noforce-2.4.x.patch
134 +1: wrowe, rpluem, ylavic
136 *) Account for explicit enable- cases of 'shared', 'few', 'all', 'reallyall',
137 ensure all unrecognized --enable-foo=values mean *no*.
138 Backport: r1750335, r1750407, r1750420
139 Trunk patch: http://svn.apache.org/r1750335
140 http://svn.apache.org/r1750407
141 http://svn.apache.org/r1750420
142 2.4.x patch: Trunk applies
143 +1: wrowe, rpluem, ylavic
146 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
147 [ New proposals should be added at the end of the list ]
149 *) mod_ssl: Return 502 instead of 500 when SSL peer check or
150 proxy_post_handshake hook fails.
151 Trunk patch: r1645529 (works)
152 2.4.x patch which adds CHANGES: https://emptyhammock.com/media/downloads/r1645529-to-2.4.x.txt
154 ylavic: there may be missing bits, see thread for commit r1736510.
156 *) mod_dav: Add support for childtags to dav_error.
157 trunk patch: http://svn.apache.org/r1746207
158 2.4.x: trunk works modulo CHANGES/MMN
161 *) mod_dav: Add dav_begin_multistatus, dav_send_one_response,
162 dav_finish_multistatus, dav_send_multistatus, dav_handle_err,
163 dav_failed_proppatch, dav_success_proppatch to mod_dav.h.
164 trunk patch: http://svn.apache.org/r1748047
165 2.4.x: trunk works modulo CHANGES/MMN
168 *) core: Drop an invalid Last-Modified header value coming
169 from a FCGI/CGI script instead of replacing it with Unix epoch.
170 trunk patch: http://svn.apache.org/r1748379
171 2.4.x: trunk patch works
174 *) mpm_event/worker: fix MaxSpareThreads lower bound (follow up to /
175 consistent with MinSpareThreads' change in r1748336 from 2.4.21)
176 trunk patch: http://svn.apache.org/r1750218
181 PATCHES/ISSUES THAT ARE BEING WORKED
183 *) http: Don't remove the Content-Length of zero from a HEAD response if
184 it comes from an origin server, module or script. Allow the previous
185 behaviour (for legacy/buggy modules only, not origin) by also backporting
186 the HttpContentLengthHeadZero directive (and also HttpExpectStrict which
187 comes for free with the same commit).
188 trunk patch: http://svn.apache.org/r1554303
189 http://svn.apache.org/r1678215
190 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-preserve_head_cl_zero.patch
192 ylavic: r1554303 issued a major MMN bump, but since the ABI change is two
193 ints added at the end of core_server_config, the proposed merge
194 does a minor bump only.
195 minfrin: Two new directives need to be documented.
197 * mod_proxy_http: Don't establish or reuse a backend connection before pre-
198 fetching the request body, so to minimize the delay between it is supposed
199 to be alive and the first bytes sent: this is a best effort to prevent the
200 backend from closing because of idle or keepalive timeout in the meantime.
201 Also, handle a new "proxy-flushall" environment variable which allows to
202 flush any forwarded body data immediately. PR 56541+37920.
203 trunk patch: http://svn.apache.org/r1656259
204 http://svn.apache.org/r1656359 (CHANGES entry)
205 2.4.x patch: trunk works (modulo CHANGES, docs/log-message-tags)
207 -0: jim: This seems to be a hit to normal performance, to handle an
208 error and/or non-normal condition. The pre-fetch is
209 expensive, and is always done, even before we know that
210 the backend is available to rec' it. I understand the
211 error described, but is the fix actually worth it (plus
212 it seems to allow for a DDoS vector).
213 ylavic: It seems to me that the problem is real since we reuse the
214 connection before prefetching 16K (either controlled by the
215 client, or by an input filter), we currently always prefetch
216 these bytes already. Regarding performance I don't see any
217 difference (more cycles) compared with the current code.
218 However I think I failed to rebuild the header_brigade when
219 the proxy loop is retried (ping), so I need to rework this.
220 Do you think we'd better remove the prefetch, or maybe just
221 make it nonblocking (by default)?
222 jim: Non-blocking seems the best way to handle...
224 * mod_dav: Allow other modules to become providers and add ACLs
225 to the DAV response. Requires a release of apr-util v1.6.
226 trunk patch: http://svn.apache.org/r1748322
227 2.4.x: trunk works modulo CHANGES/MMN
229 rpluem asks: Will this compile with apr-util < v1.6 and keep
230 mod_dav working (without the new features of the patch of course)?
231 I doubt that we will require apr-util 1.6 for the lifetime of 2.4.x
232 (see the discussion around ap_cstr_casecmp[n] an apr 1.6)
233 minfrin: Yes, as you can see in the patch everything applies only
234 if APR_XML_X2T_PARSED is defined, and the patch was tested with
235 both apr-util v1.6 and apr-util v1.5.
238 PATCHES/ISSUES THAT ARE STALLED
240 * core: Add ap_errorlog_provider to make ErrorLog logging modular. This
241 backport keeps syslog logging as part of httpd core and only adds
242 API to allow other modules to be used for error logging.
243 trunk patch: http://svn.apache.org/r1525597
244 http://svn.apache.org/r1525664
245 http://svn.apache.org/r1525845
246 http://svn.apache.org/r1527003
247 http://svn.apache.org/r1527005
248 http://svn.apache.org/r1532344
249 http://svn.apache.org/r1539988
250 http://svn.apache.org/r1541029
251 http://svn.apache.org/r1543979
252 http://svn.apache.org/r1544156
253 http://svn.apache.org/r1626978
254 2.4.x patch: http://people.apache.org/~jkaluza/patches/httpd-2.4.x-errorlog_provider.patch
256 +1: covener w/ doc or code to fix syntax (providername:providerarg not supported like syslog or socacheproviders,
257 needs 2 args which is not valid in ErrorLog manual)
258 trawick: nit: fix "writing" in "/* NULL if we are writting to syslog */"
259 (sorry, haven't finished reviewing completely)
260 jim: What is the status of this??
262 * mod_proxy: Add ap_proxy_define_match_worker() and use it for ProxyPassMatch
263 and ProxyMatch section to distinguish between normal workers and workers
264 with regex substitutions in the name. Implement handling of such workers
265 in ap_proxy_get_worker(). Fixes the bug when regex workers were not
266 matched and used for request. PR 43513.
267 trunk patch: http://svn.apache.org/r1609680
268 http://svn.apache.org/r1609688
269 http://svn.apache.org/r1641381
270 ylavic: Merge patch provided (reusing new->real to avoid double de_socketfy() call).
271 Also added missing r1609688 to the patchset.
272 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_proxy_define_match_worker.patch
274 -0: covener tried to review this one in Austin with Jeff. Does the added match function
275 really cover a very narrow set of parameters with the way it skips over backreferences?
276 Also, why a new API vs. just setting the field inline?
278 * mod_systemd: New module, for integration with systemd on Linux.
279 trunk patch: http://svn.apache.org/r1393976
280 http://svn.apache.org/r1393997
281 http://svn.apache.org/r1484554
282 http://svn.apache.org/r1528032
283 http://svn.apache.org/r1528034
284 http://svn.apache.org/r1614821
285 http://svn.apache.org/r1618579
286 http://svn.apache.org/r1618588
287 2.4.x patch: http://people.apache.org/~jkaluza/patches/mod_systemd/httpd-2.4.x-mod_systemd.patch
289 sf comments: The IdleShutdown logic seems broken. Consider a single
290 active connection that is stalled for 10 seconds. That
291 connection will be broken after GracefulShutdownTimeout.
292 A better logic would be to check if there is any open
293 connection that is not in keep-alive state.
295 * mod_journald: Add new module mod_journald to log error logs into journald.
296 This patch needs changes done in mod_systemd patch (already
298 trunk patch: http://svn.apache.org/r1610339
299 http://svn.apache.org/r1621806
300 2.4.x patch: http://people.apache.org/~jkaluza/patches/httpd-2.4.x-mod_journald.patch
302 rjung, minfrin: Not understanding "This patch needs changes done in
303 mod_systemd patch", am I right in understanding this patch is
305 jkaluza: No, that patch is not committed yet. It is in STALLED section.
306 The link for that patch is: http://people.apache.org/~jkaluza/patches/mod_systemd/httpd-2.4.x-mod_systemd.patch
308 * core: Add support for systemd socket activation.
309 trunk patch: http://svn.apache.org/r1511033
310 http://svn.apache.org/r1608686
311 http://svn.apache.org/r1608694
312 http://svn.apache.org/r1608703
313 http://svn.apache.org/r1608721
314 http://svn.apache.org/r1608744
315 2.4.x patch: http://people.apache.org/~jkaluza/patches/mod_systemd/httpd-2.4.x-socket-activation.patch
318 * mod_proxy: Ensure network errors detected by the proxy are returned as
319 504 Gateway Timout as opposed to 502 Bad Gateway
320 trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1480058
321 2.4.x patch: trunk patch works modulo CHANGES
323 -1: rpluem: This change is still disputed. See
324 http://mail-archives.apache.org/mod_mbox/httpd-dev/201305.mbox/%3C1B16B9E3-87BA-4EEF-939C-7C7313B54714%40gbiv.com%3E
326 * cross-compile: allow to provide CC_FOR_BUILD so that gen_test_char will be
327 compiled by the build compiler instead of the host compiler.
328 Also set CC_FOR_BUILD to 'cc' when cross-compilation is detected.
329 Trunk patches: http://svn.apache.org/viewvc?view=revision&revision=1327907
330 http://svn.apache.org/viewvc?view=revision&revision=1328390
331 http://svn.apache.org/viewvc?view=revision&revision=1328714
332 2.4 patch: http://people.apache.org/~fuankg/diffs/httpd-2.4.x-cross_compile.diff
333 fuankg: on hold until we agree for a better and more simple solution ...
335 * Makefile.win: Added copying of .vbs / .wsf CGIs to Windows install target.
336 Moved fixing of shebang to separate target so that it is
337 no longer executed by default and all CGIs remain inactive.
338 trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1387984
339 http://svn.apache.org/viewvc?view=revision&revision=1421203
340 http://svn.apache.org/viewvc?view=revision&revision=1421591
341 2.4.x patch: http://people.apache.org/~fuankg/diffs/httpd-2.4.x-Makefile.win.diff
344 This commit is essentially deciding that an httpd install on
345 Windows now has printenv/testcgi written in 2 more languages.
346 To the extent that the usefulness is that it shows how to make scripts
347 of these types executable by httpd, I believe that the documentation
348 is the proper place to solve that. To the extent that the usefullness
349 is to show how to implement a CGI in these particular languages, I believe
350 that the httpd distribution and documentation in general is not the
351 place for that. Historically these types of scripts have caused problems
352 for downstream vendorsas well as newbies (and sometimes the intersection
353 of those two groups) who don't understand that these are information leaks
354 once they are enabled, and the subtlety of the way they are disabled ("Apache
355 messed up the first line; let me fix that") contributes to that.
356 fuankg notes: I've just added a big warning to all CGI scripts which should now
357 make absolutely clear that these CGIs are for testing purpose only - so those
358 who enable those scripts with inserting the right shebang should be 100% aware
359 of any risks (this should cover your last point).
360 jim: trawick, does the above address your concerns?
361 trawick: to some extent (somebody reading the script gets an idea)
362 Why isn't the configuration requirement documented instead
363 of described indirectly in a sample?
364 Why are these new samples added to the install without three
365 votes? (I didn't veto it; put your name next to the two
366 existing ones and I'll be satisified that enough people
367 considered this addition as an appropriate solution for a
368 real httpd usability problem.)
369 wrowe: I'd agree with trawick, and suggest that these scripts can begin
370 their life somewhere in the manual/ tree. This really seems like
371 the place where /usr/share/httpd/examples/ would be useful, but
372 there isn't an ordinary directory for that. Since we want none
373 of the scripts to function 'out of the box', what about a new
374 cgi-examples/ dir alongside cgi-bin/? Otherwise manual/cgi/examples
377 * core: block Define and Undefine in vhost and directory context. Because
378 it is EXEC_ON_READ, it "breaks out" of these contexts anyway.
379 trunk patch: http://svn.apache.org/r1656063
380 http://svn.apache.org/r1656122
381 2.4.x patch: http://people.apache.org/~covener/patches/2.4.x-define-limits.diff
382 +1: covener (I need to review the docs manually in this area)
383 -1: wrowe (blocking will break "working" .conf files on a subversion update
384 meant to pick up security fixes. "Alerting" I would agree to.)