Pages

[Gregg]

This is for all our 2.2 users, your time is running out.

With today's announcement of Apache 2.4.23 the Apache Software Foundation included the timetable agreed upon last month for Apache 2.2's end-of-life (EOL). Here's how it goes;

Please note that Apache Web Server Project will only provide maintenance
   releases of the 2.2.x flavor through June of 2017 [EOR], and will provide some
   security patches beyond this date through at least December of 2017 [EOL].
   Minimal maintenance patches of 2.2.x are expected throughout this period,
   and users are strongly encouraged to promptly complete their transitions
   to the the 2.4.x flavor of httpd to benefit from a much larger assortment
   of minor security and bug fixes as well as new features.

So Apache 2.2 will no longer receive any new releases after June 30, 2017. I would expect one last release at that time.
Apache 2.2 will EOL completely on December 31, 2017 and there will not be any maintenance after that date.


Apache Haus timetable

All releases through June 30, 2017.
Any high severity remotely exploitable vulnerability fixes that may come out between EOR & EOL. Vulnerabilities exploitable only by physical access to the server will not be included. If an attacker has physical access to the server it is game over anyway.
Any OpenSSL updates till June 30, 2017 (except in the case of high severity remotely exploitable vulnerability fixes were a fresh patched build is required after June 2017).

After December 31, 2017 Apache Haus will no longer have Apache 2.2 server or modules available.

I have wanted to drop Apache 2.2 builds for at least a year now and Mario wanted to drop them well before that. I've continued to build these because I know it is needed for a number of modules like Coldfusion that have a high cost to replace with 2.4 versions or for some, there is no same module built for Apache 2.4 available. Those of you that are in this position need to start planning for what (and how) you are going to move ahead and budgeting any expenses that might be incurred during the process.


Some Background

The developers of the Apache HTTP Server are almost entirely volunteers that devote some of their free time maintaining the software. Because of this, they are free to choose what they want to devote this time on and for most that is mainly maintaining the 2.4 code base, new features or enhancements as well as 2.6/3.0 or simply 2.next as I like to call it. This results in the problem that not enough developers either can or are willing to spend time reviewing bug fixes or release candidates of 2.2 and it takes 3 developers to review and OK any such changes or releases. So if you cannot get three people to review and vote, why bother with maintaining it at all?

A good example of this is Apache 2.2.32 which was scheduled to be released at the same time as 2.4.23. There are two bug fixes that have been sitting there for awhile that need reviewing and given the OK to proceed but are still 1 vote short. This past weekend being a holiday weekend in the states didn't help matters any but with the holiday over and 2.4.23 out the door, this will hopefully happen in the next couple days for a release sometime next week.

The first time a vote came up to EOL 2.2 was in May of 2015. This was postponed to November 2015 because at that time there was not a very good 2.4 adoption rate due to the fact that many maintained Linux versions/distros still included Apache 2.2 and would not get updated to 2.4. These versions/distros have finally gone EOL themselves but for a few. This postponed vote finally came last month and pre-vote polling of those willing to contribute to 2.2 chose the timetable.

Looking at the results of that poll, I only see two developers willing to maintain/review bug/security fixes and two willing to test and vote for new releases out to June 2017, it looks as the rest are only willing to go to the end of this year so after that things may get sketchy if 3 votes cannot be obtained and basically EOLing 2.2 before the end 2017.


Bottom Line

Apache 2.2's casket has been picked out we are just waiting for it's last breath. Apache 2.2.0 came out on December 1, 2005 so being 10 and a half years old one should expect its end soon.

[Gregg]

Update

It looks like June 30 I will be forced to discontinue Apache 2.2 support if I understand the last announcement from the ASF correctly. Either way it's time to move on.