[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#902493: apache2-bin: Event MPM listener thread may get blocked by SSL shutdowns

On 11.02.19 10:29, Jan Wagner wrote:
> Am 11.02.19 um 09:51 schrieb Sven Hartge:

>> Also I am a bit disappointed by you invoking the "the next release is
>> near" argument. Most of my servers for example won't get Buster until
>> early to mid 2020 and I think many of others are in the same boat.

> just to point this out. You prefer an invasive backport and risk to
> stability in other areas? The update policy of Debian in the past was,
> that this should be avoided.

No, I am disappointed in the "let's do nothing" stance.

I can see why backporting the newer mpm_event is risky and that it
should be avoided.

I can also know that just throwing in a completely new Apache is
something Debian does not do, I've been using Debian for the last 20
years because of exactly that guarantee, to not get surprised by
mid-release major changes.

But this bug has been encountered frequently enough (and is difficult to
spot, if you don't exactly know what to search for) and with increasing
adoption of SSL more and more people will hit it, that I think at least
*some* action is warranted.

Maybe better documentation to help people encountering this or maybe
changing the default MPM for Stretch on new installs, since mpm_event in
Stretch clearly is flawed and buggy with SSL.

But just saying "Buster is release soon" can't be the right solution here.

Stretch will likely be used for at least 3 more years before it is
phased out, keeping a *known* bug with an easy workaround active for
that long because of "we don't change Debian Stable *ever*" seems wrong
to me.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: