Re: The Apache Question
Sure OpenBSD's modified Apache 1.3 is way more secure than most stuff out there, and is working great. However, the Subversion versioning control system (which my project uses) demands Apache2 in order to do DAV checkouts and commits, better authentication and more. So, my only choice was to manually install Apache2 and compile mod_dav_svn.so in order to use these features in OpenBSD. No big deal, but I would surely appreciate a port for Apache2, it would have made my life much easier. Anyway, I agree with the other guys: no way Apache2 will make it to the base system, its license is a major issue against that. Somewhat off-topic but if you need plone and subversion with dav lighttpd can do the trick for you (running plone as a fastcgi server).
Re: The Apache Question
On 2/7/06, Marcin Wilk [EMAIL PROTECTED] wrote: Why change that It is apache, but with some pathes. But still iti s apache (changing name may be bad for futurre coders, that wouldl ike to make somep lugin for OpenBSD http server, before they will start to make it, theyw ill have to learn, that httpd in OBSD is just apache 1.3). Besides i don't understand why so many people would like to change current web server, when it's working fine well it is enough secure? Is there any realy nice argument besides the digit ? I think no, so, why people always ask that I think the biggest argument for changing the web server is the fact that the Apache in tree doesn't do IPv6, and Apache 2.x does. And, btw, if you look at early 2.0 releases, you'll see they are still under the Apache 1.1 License or whatever 1.3 was under. The incompatible Apache license wasn't put in until after a few 2.x releases. At 22:11 2006-02-07, you wrote: Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? Stuart Henderson wrote: On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
Re: The Apache Question
Well then, I'll take a look at you suggestion, Joachim, seems reasonable. Too bad most developers actually *prefer* FTP over ssh, so it's going to be difficult to convince them. Well, looks like I'll just have to implement... they'll get used to it anyway =) Talking about the Apache2 port, as soon as I get the grasp of porting software to OpenBSD I'll try to do that, would be quite helpful. Erm... just a lazy question, but lighttpd has support for DAV? On 2/8/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Feb 07, 2006 at 11:05:44PM -0200, Felipe Scarel wrote: Since it's an open source project in which anyone can commit to the repository anytime, it's not possible to add each and every user as a system user. Instead, we're using Plone to write user information on the htaccess-style file that Subversion reads. However, I guess I'm going to use your strategy on another server that is not wide open to commits, looks more than enough. Anyway, an Apache2 port wouldn't be a bad idea... I'll study some more and try to work on that on the near future. There is no need for that, really. Use public key authentication, one key per person, and a .ssh/authorized_keys file that looks like this, minus line breaks and empty lines and with actual public keys: command=umask 027; svnserve -t --tunnel-user=joachim -r /var/svn,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa $pubkey_joachim [EMAIL PROTECTED] command=umask 027; svnserve -t --tunnel-user=felipe -r /var/svn,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa $pubkey_felipe [EMAIL PROTECTED] It's quite neat, and no neat for Apache 2. Setting up a session might be slightly quicker in Apache, but data throughput might be equal. Or not - I don't know if mod_dav_svn does any caching, and I've never benchmarked it. And if you keep an ssh session open (ControlMaster and so on, see ssh_config(5)), I'd imagine it being quite a bit faster under a normal usage pattern for a developer (lots of connections, exchanging litte data each time). Joachim -- Felipe Brant Scarel PATUX/OpenBSD Project Leader (http://www.patux.cic.unb.br)
Re: The Apache Question
Felipe Scarel wrote: Well then, I'll take a look at you suggestion, Joachim, seems reasonable. Too bad most developers actually *prefer* FTP over ssh, so it's going to be difficult to convince them. Well, looks like I'll just have to implement... they'll get used to it anyway =) Talking about the Apache2 port, as soon as I get the grasp of porting software to OpenBSD I'll try to do that, would be quite helpful. Erm... just a lazy question, but lighttpd has support for DAV? From http://www.lighttpd.net/documentation/webdav.html: The WebDAV module is a very minimalistic implementation of RFC 2518. Minimalistic means that not all operations are implemented yet. - Bret
Re: The Apache Question
Thanks there, I'll consider using lighttpd then. On 2/8/06, Bret Lambert [EMAIL PROTECTED] wrote: Felipe Scarel wrote: Well then, I'll take a look at you suggestion, Joachim, seems reasonable. Too bad most developers actually *prefer* FTP over ssh, so it's going to be difficult to convince them. Well, looks like I'll just have to implement... they'll get used to it anyway =) Talking about the Apache2 port, as soon as I get the grasp of porting software to OpenBSD I'll try to do that, would be quite helpful. Erm... just a lazy question, but lighttpd has support for DAV? From http://www.lighttpd.net/documentation/webdav.html: The WebDAV module is a very minimalistic implementation of RFC 2518. Minimalistic means that not all operations are implemented yet. - Bret -- Felipe Brant Scarel PATUX/OpenBSD Project Leader (http://www.patux.cic.unb.br)
Re: The Apache Question
On Wed, 2006-02-08 at 11:09:14 -0500, Jason Crawford proclaimed... I think the biggest argument for changing the web server is the fact that the Apache in tree doesn't do IPv6, and Apache 2.x does. And, btw, if you look at early 2.0 releases, you'll see they are still under the Apache 1.1 License or whatever 1.3 was under. The incompatible Apache license wasn't put in until after a few 2.x releases. That was my biggest complaint too, and I ended up having to run Apache2 when I was a mirror maintainer (my policy was to make everything ipv4/ipv6 accessible). Then again, syslogd(8) doesn't have ipv6 support either. I suppose there are things one can do with faithd(8) if they really wanted to.
Re: The Apache Question
On 2/8/06, Jason Crawford [EMAIL PROTECTED] wrote: On 2/7/06, Marcin Wilk [EMAIL PROTECTED] wrote: Why change that It is apache, but with some pathes. But still iti s apache (changing name may be bad for futurre coders, that wouldl ike to make somep lugin for OpenBSD http server, before they will start to make it, theyw ill have to learn, that httpd in OBSD is just apache 1.3). Besides i don't understand why so many people would like to change current web server, when it's working fine well it is enough secure? Is there any realy nice argument besides the digit ? I think no, so, why people always ask that I think the biggest argument for changing the web server is the fact that the Apache in tree doesn't do IPv6, and Apache 2.x does. And, btw, if you look at early 2.0 releases, you'll see they are still under the Apache 1.1 License or whatever 1.3 was under. The incompatible Apache license wasn't put in until after a few 2.x releases. Sorry to reply to myself, but I was curious as to how far along 2.0.x was still the Apache 1.1 License, so I checked out older versions of source from: http://archive.apache.org/dist/httpd/ And I have found that 2.0.48 is the last version with the Apache 1.1 License (compatible with OpenBSD) and that 2.0.49 is the first version with the Apache 2.0 License (incompatible with OpenBSD). So if anyone is truely interested in Apache 2.0.x, it looks like as far as the license is concerned, it's doable if 2.0.48 is used. At 22:11 2006-02-07, you wrote: Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? Stuart Henderson wrote: On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
The Apache Question
Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn
Re: The Apache Question
I would recommend reading the archives, but I guess a quick answer is no.
Re: The Apache Question
On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
Re: The Apache Question
RedShift wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn Look this question in the archive and you will get the answer. In any case, the short of it is that the license will make it impossible to do so. It's a dead issue and that's why the version 1.3 is maintain isolated from the apache and there is way over what, may be 60K lines of difference by now or something like that. May be I am mistaken and it's 30K, I can't remember well, but the last time I look, it's HUGE!
Re: The Apache Question
Well as far as I know, Apache 1.3 is an openBSD modified version and not the 1.3 apache releases but the licensing on apache 2.0 is the reason I see OpenBSD not packaging it. http://apache.org/licenses/LICENSE-2.0 Also search back into the mailing list archives or the site for more specific reasons. Correct me if i'm wrong. On 2/7/06, RedShift [EMAIL PROTECTED] wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn
Re: The Apache Question
Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? Stuart Henderson wrote: On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
Re: The Apache Question
Steven Day wrote: Well as far as I know, Apache 1.3 is an openBSD modified version and not the 1.3 apache releases but the licensing on apache 2.0 is the reason I see OpenBSD not packaging it. http://apache.org/licenses/LICENSE-2.0 Also search back into the mailing list archives or the site for more specific reasons. Correct me if i'm wrong. Your correct and that was sure beat up big time in the archive as well. I think you have way more chance to ever see lighttpd replace apache 1.3 oppose to have apache 2.x for sure. I am not talking for the project what so ever, but the archive make it very obvious that apache is not going to go higher then where it is now. Plus lighttpd does have a BSD license, so that would be my bet. But don't expect that to change soon I think. Just my $0.02 worth.
Re: The Apache Question
From: [EMAIL PROTECTED] Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? No, because that's what it is. What you're talking about is marketing drivel. You don't have to keep up with the Joneses, especially when the Joneses introduced a shoddy license and are going a different way. DS
Re: The Apache Question
Hello! On Tue, Feb 07, 2006 at 03:59:22PM -0500, Steven Day wrote: Well as far as I know, Apache 1.3 is an openBSD modified version and not the 1.3 apache releases but the licensing on apache 2.0 is the reason I see OpenBSD not packaging it. http://apache.org/licenses/LICENSE-2.0 Also search back into the mailing list archives or the site for more specific reasons. Correct me if i'm wrong. IIRC that's correct, the licensing is at least one of the reasons why apache 2 will probably never make it into base. However, I'd guess a port submission would be accepted in principle - but not now, because the consolidation phase for the next release has already started wrt ports. Kind regards, Hannah.
Re: The Apache Question
Why change that It is apache, but with some pathes. But still iti s apache (changing name may be bad for futurre coders, that wouldl ike to make somep lugin for OpenBSD http server, before they will start to make it, theyw ill have to learn, that httpd in OBSD is just apache 1.3). Besides i don't understand why so many people would like to change current web server, when it's working fine well it is enough secure? Is there any realy nice argument besides the digit ? I think no, so, why people always ask that At 22:11 2006-02-07, you wrote: Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? Stuart Henderson wrote: On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
Re: The Apache Question
On Tue, 7 Feb 2006, Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? No, because that's what it is. What you're talking about is marketing drivel. You don't have to keep up with the Joneses, especially when the Joneses introduced a shoddy license and are going a different way. DS Hmmm... [EMAIL PROTECTED]:/home/jross $ whois openhttpd.org (As pointed out to me quite a while back ...) :-)
Re: The Apache Question
RedShift wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn I couldn't find anything in the misc archives, but perhaps I didn't really look that hard. But the biggest issue is the Apache 2.0 license. I'm not sure what the problem is with the license, but I believe it may be that Apache 2 license is more restrictive. In what way? I don't know.
Re: The Apache Question
On 2/7/06, Joe S [EMAIL PROTECTED] wrote: RedShift wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn I couldn't find anything in the misc archives, but perhaps I didn't really look that hard. But the biggest issue is the Apache 2.0 license. I'm not sure what the problem is with the license, but I believe it may be that Apache 2 license is more restrictive. In what way? I don't know. http://www.openbsd.org/faq/faq1.html#HowAbout That was referenced from the list reply where someone claimed there was no problem. A quick web search will probably give the reason too.
Re: The Apache Question
Sure OpenBSD's modified Apache 1.3 is way more secure than most stuff out there, and is working great. However, the Subversion versioning control system (which my project uses) demands Apache2 in order to do DAV checkouts and commits, better authentication and more. So, my only choice was to manually install Apache2 and compile mod_dav_svn.so in order to use these features in OpenBSD. No big deal, but I would surely appreciate a port for Apache2, it would have made my life much easier. Anyway, I agree with the other guys: no way Apache2 will make it to the base system, its license is a major issue against that. -- Felipe Brant Scarel PATUX/OpenBSD Project Leader (http://www.patux.cic.unb.br)
Re: The Apache Question
On 2/7/06, Joe S [EMAIL PROTECTED] wrote: I couldn't find anything in the misc archives, but perhaps I didn't really look that hard. But the biggest issue is the Apache 2.0 license. I'm not sure what the problem is with the license, but I believe it may be that Apache 2 license is more restrictive. In what way? I don't know. wc L* 58 4082827 LICENSE-1.1 2021581 11358 LICENSE-2.0.txt
Re: The Apache Question
On 2/7/06, Joe S [EMAIL PROTECTED] wrote: RedShift wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn I couldn't find anything in the misc archives, but perhaps I didn't really look that hard. But the biggest issue is the Apache 2.0 license. I'm not sure what the problem is with the license, but I believe it may be that Apache 2 license is more restrictive. In what way? I don't know. It was the first link in google. agree or disagree there it is. :-) http://www.monkey.org/openbsd/archive/misc/0406/msg00438.html --Bryan
Re: The Apache Question
Since it's an open source project in which anyone can commit to the repository anytime, it's not possible to add each and every user as a system user. Instead, we're using Plone to write user information on the htaccess-style file that Subversion reads. However, I guess I'm going to use your strategy on another server that is not wide open to commits, looks more than enough. Anyway, an Apache2 port wouldn't be a bad idea... I'll study some more and try to work on that on the near future. On 2/7/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Feb 07, 2006 at 09:26:31PM -0200, Felipe Scarel wrote: Sure OpenBSD's modified Apache 1.3 is way more secure than most stuff out there, and is working great. However, the Subversion versioning control system (which my project uses) demands Apache2 in order to do DAV checkouts and commits, better authentication and more. So, my only choice was to manually install Apache2 and compile mod_dav_svn.so in order to use these features in OpenBSD. No big deal, but I would surely appreciate a port for Apache2, it would have made my life much easier. Anyway, I agree with the other guys: no way Apache2 will make it to the base system, its license is a major issue against that. I don't know about you, but I had the same svn-over-apache-2 setup. I switched to svn+ssh, and all seems well. It has the added advantage of taking version control further away from my very untrusted web scripts and somewhat untrusted web server. sshd is a trusted component, at least in the sense that anyone who can break that essentially owns the system. Joachim -- Felipe Brant Scarel PATUX/OpenBSD Project Leader (http://www.patux.cic.unb.br)
Re: The Apache Question (lighttp remote holes just fixed)
paul dansing wrote: lighttpd just fixed a remote hole (case insensitive file systems) in the CURRENT VERSION! Does this inspire confidence? I mean for fck sake, the version just before they fixed %00 append bug! Next thing they will discover directory traversal. o_O YEAH, yeah I want this FINE PIECE OF SOFTWARE running on my production servers. Bummer too, because the hype had it sounded pretty cool until I realized how recent those remote holes were :( I didn't put a judgment on the quality of the software, but it is not as bad as you want to make it look like, plus you would be surprise how many developers are running it anyway. If it ever make it to the default install, don't you think there would be a nice audit on it first? I am not putting it down, I simply stated the BSD license oppose to the new more restrictive Apache to answer the question, that's all. In the end, I fully trust that if anyone from the project put it in, they will have looked at the implications of it and I fully trust their judgments! I have to say, if Apache would ever be release, I would love to see the replacement be part of the kernel if you asked me. Benchmark on web server built in kernel are just amazing! But again, I am not talking for the project, nor would I pretend to know what they would do either! I was only answering the question at the risk of been flame doing so as this was beat up to death many times in the archive. Peace...
Re: The Apache Question (lighttp remote holes just fixed)
lighttpd just fixed a remote hole (case insensitive file systems) in the CURRENT VERSION! Does this inspire confidence? I mean for fck sake, the version just before they fixed %00 append bug! Next thing they will discover directory traversal. o_O YEAH, yeah I want this FINE PIECE OF SOFTWARE running on my production servers. Bummer too, because the hype had it sounded pretty cool until I realized how recent those remote holes were :( I think you have way more chance to ever see lighttpd replace apache 1.3 oppose to have apache 2.x for sure. I am not talking for the project what so ever, but the archive make it very obvious that apache is not going to go higher then where it is now. Plus lighttpd does have a BSD license, so that would be my bet. But don't expect that to change soon I think. -- Best regards, paulmailto:[EMAIL PROTECTED]
Re: The Apache Question
On 2/8/06, RedShift [EMAIL PROTECTED] wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? http://marc.theaimsgroup.com/?l=openbsd-techm=110242455717049w=2 The Apache Software people refused to incorporates a lot of security features because it would make their Apache release incompatible with the Netware Operating System. So the Apache shipped with OpenBSD is not really the same as the one released by the Apache Project with the same version number. a lot while ago Henning had said that there was about 4000 lines of Code difference between the OpenBSD Apache and the one from Apache Project and Also that Apache2 is a Design Fault. Just some Info :-) Kind Regards -- Siju Oommen George, Network Consultant. HiFX IT MEDIA SERVICES PVT. LTD. http://www.hifx.net
Re: The Apache Question
Siju George wrote: a lot while ago Henning had said that there was about 4000 lines of Code difference between the OpenBSD Apache and the one from Apache Project and Also that Apache2 is a Design Fault. It is way pass that now. Back in May 2005 it was already at 32,582 lines. http://marc.theaimsgroup.com/?l=openbsd-miscm=111635541507728w=2 I would bet, it is easy pass 40K by now.