I thought the whole intent for a quick 2.4.36 was for TLSv1.3 support.
If that's not ready for prime time, then why a release??
AIUI, it isn't that httpd isn't ready for release, or even httpd-test framework.
Until all the upstream CPAN modules behave reasonably with openssl 1.1.1
we will continue to see odd test results.
The question is How Comfortable Are We That TLSv1.3 Support Is Production Ready?
This release seems very, very rushed to me. It seems strange that for someone who balks against releasing s/w that hasn't been sufficiently tested, or could cause regressions, and that the sole reason for this particular release is TLSv1.3 support which seems insufficiently tested, you are uncharacteristic cool with all this.
Does the TLSv1.3 support need to be production ready?
TLSv1.3 is presumably an opt-in feature and as long as it doesn’t endanger existing behaviours, I would have assumed it’s relatively safe to release with caveats in the docs.
Of course, once there’s more take-up of TLSv1.3, then the test suite needs to be useful. Getting real-world feedback about something completely new that doesn’t endanger existing behaviours outside of TLSv1.3 is probably worthwhile.