Re: Apache httpd 2.2.10 test tarballs available...
On Oct 8, 2008, at 4:44 PM, Paul Querna wrote: William A. Rowe, Jr. wrote: Oden Eriksson wrote: Den Wednesday 08 October 2008 19:50:06 skrev William A. Rowe, Jr.: Akins, Brian wrote: On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Sure sounds like this is a re-initialization of mysql, with apr and php fighting for the honors. I thought the official support of php was fastcgi only in httpd 2.2 Given the headaches he is encountering, I'd think that php- fastcgi would be the ideal solution. vhosting does not work very well with apache, without band-aids like fastcgi etc. that's a shame. If you mean mass vhosting of untrusted content, and are still letting authors write perl and php without knowing where to hunt them down when their scripts or they personally mess around in their in-process, non-sandbox environment, you are being foolish. In-process modperl/modphp is for hosting trusted content. You'll have to give them a very restricted language, such as sed or awk, if you want to keep their fingers away from the dangerous buttons. Or host them under [fast]cgi which is what that environment is created for. I agree completely. Maybe we should finish our mod_proxy_fcgi module or try to import mod_fcgid :-) But, I don't have time to work on mod_proxy_fcgi. H I'll take that on... Not that I have a lot of time, but I'd also like to see it become viable. So Can we ask the mod_fcgid project if we could import it? If they are willing to change the license :)
Re: Apache httpd 2.2.10 test tarballs available...
On Tue, Oct 7, 2008 at 2:37 PM, Jim Jagielski [EMAIL PROTECTED] wrote: ... at the usual location: http://httpd.apache.org/dev/dist/ The availability of these test tarballs does not constitute an official release, however please download and test as a VOTE will be called for in the next few days regarding their release. +1 AIX 5.3 z/OS 1.7 Greg
Re: Apache httpd 2.2.10 test tarballs available...
Jim Jagielski wrote: On Oct 8, 2008, at 4:44 PM, Paul Querna wrote: So Can we ask the mod_fcgid project if we could import it? If they are willing to change the license :) You totally miss the point. We aren't entirely clear if this author even has the IP they claim to have (talk about IP import processes). He claims GPL. He adds no restrictions, and; 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. however, if the work was at all based on the code authored by the crew for mod_fastcgi, as opposed to the coding logic of mod_fastcgi, we have; This FastCGI application library source and object code (the Software) and its documentation (the Documentation) are copyrighted by Open Market, Inc (Open Market). The following terms apply to all files associated with the Software and Documentation unless explicitly disclaimed in individual files. Open Market permits you to use, copy, modify, distribute, and license this Software and the Documentation solely for the purpose of implementing the FastCGI specification defined by Open Market or derivative specifications publicly endorsed by Open Market and promulgated by an open standards organization and for no other purpose, provided that existing copyright notices are retained in all copies and that this notice is included verbatim in any distributions. No written agreement, license, or royalty fee is required for any of the authorized uses. Modifications to this Software and Documentation may be copyrighted by their authors and need not follow the licensing terms described here, but the modified Software and Documentation must be used for the sole purpose of implementing the FastCGI specification defined by Open Market or derivative specifications publicly endorsed by Open Market and promulgated by an open standards organization and for no other purpose. If modifications to this Software and Documentation have new licensing terms, the new terms must protect Open Market's proprietary rights in the Software and Documentation to the same extent as these licensing terms and must be clearly indicated on the first page of each file where they apply. Open Market shall retain all right, title and interest in and to the Software and Documentation, including without limitation all patent, copyright, trade secret and other proprietary rights. OPEN MARKET MAKES NO EXPRESS OR IMPLIED WARRANTY WITH RESPECT TO THE SOFTWARE OR THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL OPEN MARKET BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DAMAGES ARISING FROM OR RELATING TO THIS SOFTWARE OR THE DOCUMENTATION, INCLUDING, WITHOUT LIMITATION, ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES OR SIMILAR DAMAGES, INCLUDING LOST PROFITS OR LOST DATA, EVEN IF OPEN MARKET HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE SOFTWARE AND DOCUMENTATION ARE PROVIDED AS IS. OPEN MARKET HAS NO LIABILITY IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE ARISING OUT OF THIS SOFTWARE OR THE DOCUMENTATION. -- which is altogether out of sorts with either the GPL or the AL. So before we ask the authors if they would relicense, we first need to ask them if they've offered a legitimate license in the first place.
Re: Apache httpd 2.2.10 test tarballs available...
Den Wednesday 08 October 2008 13:43:18 skrev Oden Eriksson: Den Tuesday 07 October 2008 20:37:48 skrev Jim Jagielski: ... at the usual location: http://httpd.apache.org/dev/dist/ The availability of these test tarballs does not constitute an official release, however please download and test as a VOTE will be called for in the next few days regarding their release. All tests (perl-framework) passes on Mandriva Cooker/2009.0 with system apr/apr-util latest stable versions. But SNI didn't make it into 2.2.10 it seems. -- Regards // Oden Eriksson
Re: Apache httpd 2.2.10 test tarballs available...
Den Tuesday 07 October 2008 20:37:48 skrev Jim Jagielski: ... at the usual location: http://httpd.apache.org/dev/dist/ The availability of these test tarballs does not constitute an official release, however please download and test as a VOTE will be called for in the next few days regarding their release. All tests (perl-framework) passes on Mandriva Cooker/2009.0 with system apr/apr-util latest stable versions. -- Regards // Oden Eriksson
Re: Apache httpd 2.2.10 test tarballs available...
On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Sure sounds like this is a re-initialization of mysql, with apr and php fighting for the honors. I thought the official support of php was fastcgi only in httpd 2.2 -- Brian Akins Chief Operations Engineer Turner Digital Media Technologies
Re: Apache httpd 2.2.10 test tarballs available...
On 10/07/2008 08:37 PM, Jim Jagielski wrote: ... at the usual location: http://httpd.apache.org/dev/dist/ The availability of these test tarballs does not constitute an official release, however please download and test as a VOTE will be called for in the next few days regarding their release. +1 for release. Tested on Solaris 8 32 Bit build with gcc. Solaris 9 32 Bit build with gcc. Solaris 10 32 Bit build with gcc. SuSE Linux 10.2 32 Bit SuSE Linux 10.1 64 Bit RHEL 4 32 Bit RHEL 5 32 Bit RHEL 4 64 Bit RHEL 5 64 Bit Regards RĂ¼diger
Re: Apache httpd 2.2.10 test tarballs available...
On Wed, Oct 8, 2008 at 9:17 AM, Ruediger Pluem [EMAIL PROTECTED] wrote: On 10/07/2008 08:37 PM, Jim Jagielski wrote: ... at the usual location: http://httpd.apache.org/dev/dist/ The availability of these test tarballs does not constitute an official release, however please download and test as a VOTE will be called for in the next few days regarding their release. +1 sles9/s390 (31-bit) all tests pass sles9/ppc (32-bit) all tests pass solaris 10/amd64 (64-bit, sun studio) all tests pass -- Eric Covener [EMAIL PROTECTED]
Re: Apache httpd 2.2.10 test tarballs available...
Running fine for 1 day on gentoo. Can't test on windows due to having no machine available. ~Jorge On Wed, Oct 8, 2008 at 3:33 PM, Eric Covener [EMAIL PROTECTED] wrote: On Wed, Oct 8, 2008 at 9:17 AM, Ruediger Pluem [EMAIL PROTECTED] wrote: On 10/07/2008 08:37 PM, Jim Jagielski wrote: ... at the usual location: http://httpd.apache.org/dev/dist/ The availability of these test tarballs does not constitute an official release, however please download and test as a VOTE will be called for in the next few days regarding their release. +1 sles9/s390 (31-bit) all tests pass sles9/ppc (32-bit) all tests pass solaris 10/amd64 (64-bit, sun studio) all tests pass -- Eric Covener [EMAIL PROTECTED]
Re: Apache httpd 2.2.10 test tarballs available...
Akins, Brian wrote: On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Sure sounds like this is a re-initialization of mysql, with apr and php fighting for the honors. I thought the official support of php was fastcgi only in httpd 2.2 Given the headaches he is encountering, I'd think that php-fastcgi would be the ideal solution.
Re: Apache httpd 2.2.10 test tarballs available...
Den Wednesday 08 October 2008 19:50:06 skrev William A. Rowe, Jr.: Akins, Brian wrote: On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Sure sounds like this is a re-initialization of mysql, with apr and php fighting for the honors. I thought the official support of php was fastcgi only in httpd 2.2 Given the headaches he is encountering, I'd think that php-fastcgi would be the ideal solution. vhosting does not work very well with apache, without band-aids like fastcgi etc. that's a shame. -- Regards // Oden Eriksson
Re: Apache httpd 2.2.10 test tarballs available...
Jim Jagielski wrote: ... at the usual location: http://httpd.apache.org/dev/dist/ [...] +1 solaris 10 on sparc (64-bit, sun studio 12) all tests passed -0.4 for not including a solution for the 6-years-old issue 10744 (https://issues.apache.org/bugzilla/show_bug.cgi?id=10744) -0.1 for not including an experimental/not supported version of SNI for popularization of that technology Regards, frank
Re: Apache httpd 2.2.10 test tarballs available...
On Windows building fine and reports from the Apache Lounge community that all works without issues. Steffen
PHP was Re: Apache httpd 2.2.10 test tarballs available...
On 10/8/08 2:15 PM, Oden Eriksson [EMAIL PROTECTED] wrote: vhosting does not work very well with apache, without band-aids like fastcgi etc. that's a shame. There is a rather lengthy list of reasons why mod_php doesn't work correctly. AFAIK, the official word has been to use fast-cgi for almost 3 years. Most other major http servers have taken the same stance. I think we (httpd folks in general) have not done a good job of documenting this. -- Brian Akins Chief Operations Engineer Turner Digital Media Technologies
Re: PHP was Re: Apache httpd 2.2.10 test tarballs available...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Akins, Brian wrote: There is a rather lengthy list of reasons why mod_php doesn't work correctly. AFAIK, the official word has been to use fast-cgi for almost 3 years. Most other major http servers have taken the same stance. I think we (httpd folks in general) have not done a good job of documenting this. I've migrated all of my webservers to a mixture of Lighttpd and Nginx, BUT there are some PHP apps that do not work ok with fcgi. For them I use Apache. I use a lot of Apache for reverse-proxy setups, for instance, using lighttpd to serve static content, but keep Apache in the front for mod_security, for example. - -- Arturo Buanzo Busleiman Independent Linux and Security Consultant - SANS - OISSG - OWASP http://www.buanzo.com.ar/pro/eng.html Mailing List Archives at http://archiver.mailfighter.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI7RVnAlpOsGhXcE0RCpYDAJsEEnWpb6ING0qycRP+GFP9jjdI2wCeK890 XFtTn7sUs0fsZWz8wFxF1Uk= =LnKU -END PGP SIGNATURE-
Re: PHP was Re: Apache httpd 2.2.10 test tarballs available...
Akins, Brian wrote: On 10/8/08 2:15 PM, Oden Eriksson [EMAIL PROTECTED] wrote: vhosting does not work very well with apache, without band-aids like fastcgi etc. that's a shame. There is a rather lengthy list of reasons why mod_php doesn't work correctly. AFAIK, the official word has been to use fast-cgi for almost 3 years. Most other major http servers have taken the same stance. I think we (httpd folks in general) have not done a good job of documenting this. We also don't have an in-tree fully supported FastCGI module. *hint* -Paul
Re: PHP was Re: Apache httpd 2.2.10 test tarballs available...
This is getting of topic in dev, but... On 10/8/08 4:17 PM, Arturo 'Buanzo' Busleiman [EMAIL PROTECTED] wrote: I've migrated all of my webservers to a mixture of Lighttpd and Nginx, Why? The apache is bloated and slow argument is just plain incorrect. (FWIW, I have nothing against eitehr of those other than the FUD they spread about apache.) BUT there are some PHP apps that do not work ok with fcgi. So, they wouldn't work on lighttpd, I suppose. For them I use Apache. I use a lot of Apache for reverse-proxy setups, for instance, using lighttpd to serve static content, but keep Apache in the front for mod_security, for example. Mod_security can front fastcgi quite easily. There may be some instances where it doesn't work for all types of rules. (?) The point I was making is that php is not supported via mod_php in httpd 2.x. Can you get it to work, yes, but if you ask question in php-lanf they will tell you use apache 1.3 or fastcgi. Same in httpd-land. Since this fact has not been well publicized, people keep using mod_php and php developers never actually test their code under fact-cgi. Should someone draft an official statement that can be put on httpd.apache.org? It would help if we included an implementation of fact-cgi, as well. Or, at least, gave some links to the more popular one(s). -- Brian Akins Chief Operations Engineer Turner Digital Media Technologies
Re: Apache httpd 2.2.10 test tarballs available...
Oden Eriksson wrote: Den Wednesday 08 October 2008 19:50:06 skrev William A. Rowe, Jr.: Akins, Brian wrote: On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Sure sounds like this is a re-initialization of mysql, with apr and php fighting for the honors. I thought the official support of php was fastcgi only in httpd 2.2 Given the headaches he is encountering, I'd think that php-fastcgi would be the ideal solution. vhosting does not work very well with apache, without band-aids like fastcgi etc. that's a shame. If you mean mass vhosting of untrusted content, and are still letting authors write perl and php without knowing where to hunt them down when their scripts or they personally mess around in their in-process, non-sandbox environment, you are being foolish. In-process modperl/modphp is for hosting trusted content. You'll have to give them a very restricted language, such as sed or awk, if you want to keep their fingers away from the dangerous buttons. Or host them under [fast]cgi which is what that environment is created for.
Re: Apache httpd 2.2.10 test tarballs available...
William A. Rowe, Jr. wrote: Oden Eriksson wrote: Den Wednesday 08 October 2008 19:50:06 skrev William A. Rowe, Jr.: Akins, Brian wrote: On 10/7/08 8:49 PM, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Sure sounds like this is a re-initialization of mysql, with apr and php fighting for the honors. I thought the official support of php was fastcgi only in httpd 2.2 Given the headaches he is encountering, I'd think that php-fastcgi would be the ideal solution. vhosting does not work very well with apache, without band-aids like fastcgi etc. that's a shame. If you mean mass vhosting of untrusted content, and are still letting authors write perl and php without knowing where to hunt them down when their scripts or they personally mess around in their in-process, non-sandbox environment, you are being foolish. In-process modperl/modphp is for hosting trusted content. You'll have to give them a very restricted language, such as sed or awk, if you want to keep their fingers away from the dangerous buttons. Or host them under [fast]cgi which is what that environment is created for. I agree completely. Maybe we should finish our mod_proxy_fcgi module or try to import mod_fcgid :-) But, I don't have time to work on mod_proxy_fcgi. So Can we ask the mod_fcgid project if we could import it? Discuss :-) Thanks, Paul
Re: Apache httpd 2.2.10 test tarballs available...
Paul Querna wrote: I agree completely. Maybe we should finish our mod_proxy_fcgi module or try to import mod_fcgid :-) But, I don't have time to work on mod_proxy_fcgi. So Can we ask the mod_fcgid project if we could import it? Discuss :-) Neither the Open Market License or GPL is sufficiently compatible with the AL to import into svn.
Re: PHP was Re: Apache httpd 2.2.10 test tarballs available...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Akins, Brian wrote: Why? The apache is bloated and slow argument is just plain incorrect. (FWIW, I have nothing against eitehr of those other than the FUD they spread about apache.) Why? Two reasons: 1) To test and get to know them. It was real fun. 2) After testing, they proved much more efficient performance-wise, and they have some very useful modules (mod_evasive, for instance). - From a completeness perspective, they still lack lots of the high-quality modules Apache has. So, they wouldn't work on lighttpd, I suppose. Exactly, that's why I still use Apache for them. (example: pmwiki) Mod_security can front fastcgi quite easily. There may be some instances where it doesn't work for all types of rules. (?) I'd appreciate more information from you regarding this. Thanks! - -- Arturo Buanzo Busleiman Independent Linux and Security Consultant - SANS - OISSG - OWASP http://www.buanzo.com.ar/pro/eng.html Mailing List Archives at http://archiver.mailfighter.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI7SGcAlpOsGhXcE0RCqrbAJwIkYjBb8NAaOYXWZ/KKKyPMEOTeQCfb8qf 7ML4pKlZlhwNRXPzsDKy1l8= =DfGf -END PGP SIGNATURE-
Apache httpd 2.2.10 test tarballs available...
... at the usual location: http://httpd.apache.org/dev/dist/ The availability of these test tarballs does not constitute an official release, however please download and test as a VOTE will be called for in the next few days regarding their release.
Re: Apache httpd 2.2.10 test tarballs available...
Res wrote: On Tue, 7 Oct 2008, Jim Jagielski wrote: ... at the usual location: http://httpd.apache.org/dev/dist/ bug 45681 still occurs with this version Is this truly using the built-in distributed apr-util or an apr-util you had already installed on the system? 'which apu-1-config' or examining ldd of the httpd binary might give a clue of which apr-util it's looking at. If already installed, is the apr-util at 1.3.4? If not, we know the earlier apr-util can be broken in the way you describe. Finally, the bug describes loading php - but was php mysql support built as a loaded module or compiled into a monolithic mod_php?
Re: Apache httpd 2.2.10 test tarballs available...
Res wrote: php works fine always, if I unload php mod, DBD stuff works fine, if I rebuild apache with --disable-util-dso everthing together is fine. Sure sounds like this is a re-initialization of mysql, with apr and php fighting for the honors. Does changing the load order of the php and httpd mod_auth*_dbd/mod_dbd modules help things? [My guess is no, dbd would always initialize late when it gets around to processing the dbd configuration.]
Re: Apache httpd 2.2.10 test tarballs available...
Res wrote: On Tue, 7 Oct 2008, William A. Rowe, Jr. wrote: Sure sounds like this is a re-initialization of mysql, with apr and php fighting for the honors. Does changing the load order of the php and httpd mod_auth*_dbd/mod_dbd modules help things? ^^^ is built-in as I don't load them via conf, built in via enable-modules=all, as per the bug ticket. If you don't build loadable modules, it makes no sense to build apr-util with dso modules. I think your workaround is correct and the incident isn't necessarily a flaw. There are millions of permutations of how to configure, and we can't expect each and every to work.