Re: Apache httpd 2.2.10 test tarballs available...

[Jim Jagielski]

On Oct 8, 2008, at 4:44 PM, Paul Querna wrote:


William A. Rowe, Jr. wrote:

Oden Eriksson wrote:

Den Wednesday 08 October 2008 19:50:06 skrev William A. Rowe, Jr.:

Akins, Brian wrote:
On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED]  
wrote:
Sure sounds like this is a re-initialization of mysql, with apr  
and php

fighting for the honors.
I thought the official support of php was fastcgi only in  
httpd 2.2


Given the headaches he is encountering, I'd think that php- 
fastcgi would be

the ideal solution.
vhosting does not work very well with apache, without band-aids  
like fastcgi etc. that's a shame.
If you mean mass vhosting of untrusted content, and are still  
letting authors
write perl and php without knowing where to hunt them down when  
their scripts
or they personally mess around in their in-process, non-sandbox  
environment,

you are being foolish.
In-process modperl/modphp is for hosting trusted content.  You'll  
have to give
them a very restricted language, such as sed or awk, if you want to  
keep their
fingers away from the dangerous buttons.  Or host them under  
[fast]cgi which

is what that environment is created for.


I agree completely.  Maybe we should finish our mod_proxy_fcgi  
module or try to import mod_fcgid :-)


But, I don't have time to work on mod_proxy_fcgi.



H I'll take that on... Not that I have a lot of
time, but I'd also like to see it become viable.


So Can we ask the mod_fcgid project if we could import it?



If they are willing to change the license :)

Re: Apache httpd 2.2.10 test tarballs available...

[Greg Ames]

On Tue, Oct 7, 2008 at 2:37 PM, Jim Jagielski [EMAIL PROTECTED] wrote:

 ... at the usual location:

http://httpd.apache.org/dev/dist/

 The availability of these test tarballs does not constitute
 an official release, however please download and test
 as a VOTE will be called for in the next few days regarding
 their release.


+1

AIX 5.3
z/OS 1.7

Greg

Re: Apache httpd 2.2.10 test tarballs available...

[William A. Rowe, Jr.]

Jim Jagielski wrote:
 
 On Oct 8, 2008, at 4:44 PM, Paul Querna wrote:
 
 So Can we ask the mod_fcgid project if we could import it?
 
 If they are willing to change the license :)

You totally miss the point.  We aren't entirely clear if this author even
has the IP they claim to have (talk about IP import processes).

He claims GPL.  He adds no restrictions, and;

  6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions.  You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.

however, if the work was at all based on the code authored by the crew
for mod_fastcgi, as opposed to the coding logic of mod_fastcgi, we have;


This FastCGI application library source and object code (the
Software) and its documentation (the Documentation) are
copyrighted by Open Market, Inc (Open Market).  The following terms
apply to all files associated with the Software and Documentation
unless explicitly disclaimed in individual files.

Open Market permits you to use, copy, modify, distribute, and license
this Software and the Documentation solely for the purpose of
implementing the FastCGI specification defined by Open Market or
derivative specifications publicly endorsed by Open Market and
promulgated by an open standards organization and for no other
purpose, provided that existing copyright notices are retained in all
copies and that this notice is included verbatim in any distributions.

No written agreement, license, or royalty fee is required for any of
the authorized uses.  Modifications to this Software and Documentation
may be copyrighted by their authors and need not follow the licensing
terms described here, but the modified Software and Documentation must
be used for the sole purpose of implementing the FastCGI specification
defined by Open Market or derivative specifications publicly endorsed
by Open Market and promulgated by an open standards organization and
for no other purpose.  If modifications to this Software and
Documentation have new licensing terms, the new terms must protect Open
Market's proprietary rights in the Software and Documentation to the
same extent as these licensing terms and must be clearly indicated on
the first page of each file where they apply.

Open Market shall retain all right, title and interest in and to the
Software and Documentation, including without limitation all patent,
copyright, trade secret and other proprietary rights.

OPEN MARKET MAKES NO EXPRESS OR IMPLIED WARRANTY WITH RESPECT TO THE
SOFTWARE OR THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY
WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  IN
NO EVENT SHALL OPEN MARKET BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY
DAMAGES ARISING FROM OR RELATING TO THIS SOFTWARE OR THE
DOCUMENTATION, INCLUDING, WITHOUT LIMITATION, ANY INDIRECT, SPECIAL OR
CONSEQUENTIAL DAMAGES OR SIMILAR DAMAGES, INCLUDING LOST PROFITS OR
LOST DATA, EVEN IF OPEN MARKET HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.  THE SOFTWARE AND DOCUMENTATION ARE PROVIDED AS IS.
OPEN MARKET HAS NO LIABILITY IN CONTRACT, TORT, NEGLIGENCE OR
OTHERWISE ARISING OUT OF THIS SOFTWARE OR THE DOCUMENTATION.
--

which is altogether out of sorts with either the GPL or the AL.

So before we ask the authors if they would relicense, we first need to
ask them if they've offered a legitimate license in the first place.

Re: Apache httpd 2.2.10 test tarballs available...

[Oden Eriksson]

Den Wednesday 08 October 2008 13:43:18 skrev Oden Eriksson:
 Den Tuesday 07 October 2008 20:37:48 skrev Jim Jagielski:
  ... at the usual location:
 
  http://httpd.apache.org/dev/dist/
 
  The availability of these test tarballs does not constitute
  an official release, however please download and test
  as a VOTE will be called for in the next few days regarding
  their release.

 All tests (perl-framework) passes on Mandriva Cooker/2009.0 with system
 apr/apr-util latest stable versions.

But SNI didn't make it into 2.2.10 it seems.

-- 
Regards // Oden Eriksson

Re: Apache httpd 2.2.10 test tarballs available...

[Oden Eriksson]

Den Tuesday 07 October 2008 20:37:48 skrev Jim Jagielski:
 ... at the usual location:

   http://httpd.apache.org/dev/dist/

 The availability of these test tarballs does not constitute
 an official release, however please download and test
 as a VOTE will be called for in the next few days regarding
 their release.

All tests (perl-framework) passes on Mandriva Cooker/2009.0 with system 
apr/apr-util latest stable versions.

-- 
Regards // Oden Eriksson

Re: Apache httpd 2.2.10 test tarballs available...

[Akins, Brian]

On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote:

 Sure sounds like this is a re-initialization of mysql, with apr and php
 fighting for the honors.

I thought the official support of php was fastcgi only in httpd 2.2 

-- 
Brian Akins
Chief Operations Engineer
Turner Digital Media Technologies

Re: Apache httpd 2.2.10 test tarballs available...

[Ruediger Pluem]

On 10/07/2008 08:37 PM, Jim Jagielski wrote:
 ... at the usual location:
 
 http://httpd.apache.org/dev/dist/
 
 The availability of these test tarballs does not constitute
 an official release, however please download and test
 as a VOTE will be called for in the next few days regarding
 their release.

+1 for release.

Tested on

Solaris 8 32 Bit build with gcc.
Solaris 9 32 Bit build with gcc.
Solaris 10 32 Bit build with gcc.
SuSE Linux 10.2 32 Bit
SuSE Linux 10.1 64 Bit
RHEL 4 32 Bit
RHEL 5 32 Bit
RHEL 4 64 Bit
RHEL 5 64 Bit

Regards

Rüdiger

Re: Apache httpd 2.2.10 test tarballs available...

[Eric Covener]

On Wed, Oct 8, 2008 at 9:17 AM, Ruediger Pluem [EMAIL PROTECTED] wrote:


 On 10/07/2008 08:37 PM, Jim Jagielski wrote:
 ... at the usual location:

 http://httpd.apache.org/dev/dist/

 The availability of these test tarballs does not constitute
 an official release, however please download and test
 as a VOTE will be called for in the next few days regarding
 their release.


+1

sles9/s390 (31-bit) all tests pass
sles9/ppc (32-bit) all tests pass
solaris 10/amd64 (64-bit, sun studio) all tests pass

-- 
Eric Covener
[EMAIL PROTECTED]

Re: Apache httpd 2.2.10 test tarballs available...

[Jorge Schrauwen]

Running fine for 1 day on gentoo.
Can't test on windows due to having no machine available.

~Jorge


On Wed, Oct 8, 2008 at 3:33 PM, Eric Covener [EMAIL PROTECTED] wrote:

 On Wed, Oct 8, 2008 at 9:17 AM, Ruediger Pluem [EMAIL PROTECTED] wrote:
 
 
  On 10/07/2008 08:37 PM, Jim Jagielski wrote:
  ... at the usual location:
 
  http://httpd.apache.org/dev/dist/
 
  The availability of these test tarballs does not constitute
  an official release, however please download and test
  as a VOTE will be called for in the next few days regarding
  their release.
 

 +1

 sles9/s390 (31-bit) all tests pass
 sles9/ppc (32-bit) all tests pass
 solaris 10/amd64 (64-bit, sun studio) all tests pass

 --
 Eric Covener
 [EMAIL PROTECTED]

Re: Apache httpd 2.2.10 test tarballs available...

[William A. Rowe, Jr.]

Akins, Brian wrote:
 On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote:
 
 Sure sounds like this is a re-initialization of mysql, with apr and php
 fighting for the honors.
 
 I thought the official support of php was fastcgi only in httpd 2.2 

Given the headaches he is encountering, I'd think that php-fastcgi would be
the ideal solution.

Re: Apache httpd 2.2.10 test tarballs available...

[Oden Eriksson]

Den Wednesday 08 October 2008 19:50:06 skrev William A. Rowe, Jr.:
 Akins, Brian wrote:
  On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote:
  Sure sounds like this is a re-initialization of mysql, with apr and php
  fighting for the honors.
 
  I thought the official support of php was fastcgi only in httpd 2.2
  

 Given the headaches he is encountering, I'd think that php-fastcgi would be
 the ideal solution.

vhosting does not work very well with apache, without band-aids like fastcgi 
etc. that's a shame.

-- 
Regards // Oden Eriksson

Re: Apache httpd 2.2.10 test tarballs available...

[Frank]

Jim Jagielski wrote:

... at the usual location:

http://httpd.apache.org/dev/dist/
[...]



+1
solaris 10 on sparc (64-bit, sun studio 12) all tests passed


-0.4
for not including a solution for the 6-years-old issue 10744
(https://issues.apache.org/bugzilla/show_bug.cgi?id=10744)


-0.1
for not including an experimental/not supported version of SNI
for popularization of that technology


Regards,
frank

Re: Apache httpd 2.2.10 test tarballs available...

[Steffen]

On Windows building fine and reports from the Apache Lounge community that 
all works without issues.


Steffen 

PHP was Re: Apache httpd 2.2.10 test tarballs available...

[Akins, Brian]

On 10/8/08 2:15 PM, Oden Eriksson [EMAIL PROTECTED] wrote:


 vhosting does not work very well with apache, without band-aids like fastcgi
 etc. that's a shame.

There is a rather lengthy list of reasons why mod_php doesn't work
correctly.  AFAIK, the official word has been to use fast-cgi for almost
3 years.  Most other major http servers have taken the same stance.  I
think we (httpd folks in general) have not done a good job of documenting
this. 

-- 
Brian Akins
Chief Operations Engineer
Turner Digital Media Technologies

Re: PHP was Re: Apache httpd 2.2.10 test tarballs available...

[Arturo 'Buanzo' Busleiman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Akins, Brian wrote:
 There is a rather lengthy list of reasons why mod_php doesn't work
 correctly.  AFAIK, the official word has been to use fast-cgi for almost
 3 years.  Most other major http servers have taken the same stance.  I
 think we (httpd folks in general) have not done a good job of documenting
 this. 

I've migrated all of my webservers to a mixture of Lighttpd and Nginx, BUT 
there are some PHP apps
that do not work ok with fcgi. For them I use Apache. I use a lot of Apache for 
reverse-proxy
setups, for instance, using lighttpd to serve static content, but keep Apache 
in the front for
mod_security, for example.

- --
Arturo Buanzo Busleiman
Independent Linux and Security Consultant - SANS - OISSG - OWASP
http://www.buanzo.com.ar/pro/eng.html
Mailing List Archives at http://archiver.mailfighter.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI7RVnAlpOsGhXcE0RCpYDAJsEEnWpb6ING0qycRP+GFP9jjdI2wCeK890
XFtTn7sUs0fsZWz8wFxF1Uk=
=LnKU
-END PGP SIGNATURE-

Re: PHP was Re: Apache httpd 2.2.10 test tarballs available...

[Paul Querna]

Akins, Brian wrote:

On 10/8/08 2:15 PM, Oden Eriksson [EMAIL PROTECTED] wrote:



vhosting does not work very well with apache, without band-aids like fastcgi
etc. that's a shame.


There is a rather lengthy list of reasons why mod_php doesn't work
correctly.  AFAIK, the official word has been to use fast-cgi for almost
3 years.  Most other major http servers have taken the same stance.  I
think we (httpd folks in general) have not done a good job of documenting
this. 



We also don't have an in-tree fully supported FastCGI module.

*hint*

-Paul

Re: PHP was Re: Apache httpd 2.2.10 test tarballs available...

[Akins, Brian]

This is getting of topic in dev, but...

On 10/8/08 4:17 PM, Arturo 'Buanzo' Busleiman [EMAIL PROTECTED]
wrote:

 I've migrated all of my webservers to a mixture of Lighttpd and Nginx,

Why?  The apache is bloated and slow argument is just plain incorrect.
(FWIW, I have nothing against eitehr of those other than the FUD they spread
about apache.)

 BUT 
 there are some PHP apps
 that do not work ok with fcgi.

So, they wouldn't work on lighttpd, I suppose.

For them I use Apache. I use a lot of Apache
 for reverse-proxy
 setups, for instance, using lighttpd to serve static content, but keep Apache
 in the front for
 mod_security, for example.

Mod_security can front fastcgi quite easily.  There may be some instances
where it doesn't work for all types of rules. (?)

The point I was making is that php is not supported via mod_php in httpd
2.x.  Can you get it to work, yes, but if you ask question in php-lanf they
will tell you use apache 1.3 or fastcgi. Same in httpd-land.  Since this
fact has not been well publicized, people keep using mod_php and php
developers never actually test their code under fact-cgi.

Should someone draft an official statement that can be put on
httpd.apache.org?  It would help if we included an implementation of
fact-cgi, as well. Or, at least, gave some links to the more popular one(s).

-- 
Brian Akins
Chief Operations Engineer
Turner Digital Media Technologies

Re: Apache httpd 2.2.10 test tarballs available...

[William A. Rowe, Jr.]

Oden Eriksson wrote:
 Den Wednesday 08 October 2008 19:50:06 skrev William A. Rowe, Jr.:
 Akins, Brian wrote:
 On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote:
 Sure sounds like this is a re-initialization of mysql, with apr and php
 fighting for the honors.
 I thought the official support of php was fastcgi only in httpd 2.2
 
 Given the headaches he is encountering, I'd think that php-fastcgi would be
 the ideal solution.
 
 vhosting does not work very well with apache, without band-aids like fastcgi 
 etc. that's a shame.

If you mean mass vhosting of untrusted content, and are still letting authors
write perl and php without knowing where to hunt them down when their scripts
or they personally mess around in their in-process, non-sandbox environment,
you are being foolish.

In-process modperl/modphp is for hosting trusted content.  You'll have to give
them a very restricted language, such as sed or awk, if you want to keep their
fingers away from the dangerous buttons.  Or host them under [fast]cgi which
is what that environment is created for.

Re: Apache httpd 2.2.10 test tarballs available...

[Paul Querna]

William A. Rowe, Jr. wrote:

Oden Eriksson wrote:

Den Wednesday 08 October 2008 19:50:06 skrev William A. Rowe, Jr.:

Akins, Brian wrote:

On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote:

Sure sounds like this is a re-initialization of mysql, with apr and php
fighting for the honors.

I thought the official support of php was fastcgi only in httpd 2.2


Given the headaches he is encountering, I'd think that php-fastcgi would be
the ideal solution.
vhosting does not work very well with apache, without band-aids like fastcgi 
etc. that's a shame.


If you mean mass vhosting of untrusted content, and are still letting authors
write perl and php without knowing where to hunt them down when their scripts
or they personally mess around in their in-process, non-sandbox environment,
you are being foolish.

In-process modperl/modphp is for hosting trusted content.  You'll have to give
them a very restricted language, such as sed or awk, if you want to keep their
fingers away from the dangerous buttons.  Or host them under [fast]cgi which
is what that environment is created for.


I agree completely.  Maybe we should finish our mod_proxy_fcgi module or 
try to import mod_fcgid :-)


But, I don't have time to work on mod_proxy_fcgi.

So Can we ask the mod_fcgid project if we could import it?

Discuss :-)

Thanks,

Paul

Re: Apache httpd 2.2.10 test tarballs available...

[William A. Rowe, Jr.]

Paul Querna wrote:
 
 I agree completely.  Maybe we should finish our mod_proxy_fcgi module or
 try to import mod_fcgid :-)
 
 But, I don't have time to work on mod_proxy_fcgi.
 
 So Can we ask the mod_fcgid project if we could import it?
 
 Discuss :-)

Neither the Open Market License or GPL is sufficiently compatible
with the AL to import into svn.

Re: PHP was Re: Apache httpd 2.2.10 test tarballs available...

[Arturo 'Buanzo' Busleiman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Akins, Brian wrote:
 Why?  The apache is bloated and slow argument is just plain incorrect.
 (FWIW, I have nothing against eitehr of those other than the FUD they spread
 about apache.)

Why? Two reasons:

1) To test and get to know them. It was real fun.
2) After testing, they proved much more efficient performance-wise, and they 
have some very useful
modules (mod_evasive, for instance).

- From a completeness perspective, they still lack lots of the high-quality 
modules Apache has.

 So, they wouldn't work on lighttpd, I suppose.

Exactly, that's why I still use Apache for them. (example: pmwiki)

 Mod_security can front fastcgi quite easily.  There may be some instances
 where it doesn't work for all types of rules. (?)

I'd appreciate more information from you regarding this. Thanks!

- --
Arturo Buanzo Busleiman
Independent Linux and Security Consultant - SANS - OISSG - OWASP
http://www.buanzo.com.ar/pro/eng.html
Mailing List Archives at http://archiver.mailfighter.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI7SGcAlpOsGhXcE0RCqrbAJwIkYjBb8NAaOYXWZ/KKKyPMEOTeQCfb8qf
7ML4pKlZlhwNRXPzsDKy1l8=
=DfGf
-END PGP SIGNATURE-

Apache httpd 2.2.10 test tarballs available...

[Jim Jagielski]

... at the usual location:

http://httpd.apache.org/dev/dist/

The availability of these test tarballs does not constitute
an official release, however please download and test
as a VOTE will be called for in the next few days regarding
their release.

Re: Apache httpd 2.2.10 test tarballs available...

[William A. Rowe, Jr.]

Res wrote:
 On Tue, 7 Oct 2008, Jim Jagielski wrote:
 
 ... at the usual location:

 http://httpd.apache.org/dev/dist/
 
 bug 45681  still occurs with this version

Is this truly using the built-in distributed apr-util or an apr-util you had
already installed on the system?  'which apu-1-config' or examining ldd of the
httpd binary might give a clue of which apr-util it's looking at.

If already installed, is the apr-util at 1.3.4?  If not, we know the earlier
apr-util can be broken in the way you describe.  Finally, the bug describes
loading php - but was php mysql support built as a loaded module or compiled
into a monolithic mod_php?

Re: Apache httpd 2.2.10 test tarballs available...

[William A. Rowe, Jr.]

Res wrote:
 
 php works fine always, if I unload php mod, DBD stuff works fine, if I
 rebuild apache with  --disable-util-dso everthing together is fine.

Sure sounds like this is a re-initialization of mysql, with apr and php
fighting for the honors.  Does changing the load order of the php and
httpd mod_auth*_dbd/mod_dbd modules help things?

[My guess is no, dbd would always initialize late when it gets around to
processing the dbd configuration.]

Re: Apache httpd 2.2.10 test tarballs available...

[William A. Rowe, Jr.]

Res wrote:
 On Tue, 7 Oct 2008, William A. Rowe, Jr. wrote:
 
 Sure sounds like this is a re-initialization of mysql, with apr and php
 fighting for the honors.  Does changing the load order of the php and
 httpd mod_auth*_dbd/mod_dbd modules help things?
   ^^^ is built-in as I don't load them via conf,
 built in via enable-modules=all, as per the bug ticket.

If you don't build loadable modules, it makes no sense to build apr-util
with dso modules.  I think your workaround is correct and the incident
isn't necessarily a flaw.

There are millions of permutations of how to configure, and we can't
expect each and every to work.