NYLXS - Free Software Events

Thu Nov 21 23:55:43 2024

EVENTS

FREE
SOFTWARE
INSTITUTE

POLITICS

JOBS

MEMBERS'
CORNER

MAILING
LIST

NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2024-02-01

HANGOUT

2024-11-21 | 2024-10-21 | 2024-09-21 | 2024-08-21 | 2024-07-21 | 2024-06-21 | 2024-05-21 | 2024-04-21 | 2024-03-21 | 2024-02-21 | 2024-01-21 | 2023-12-21 | 2023-11-21 | 2023-10-21 | 2023-09-21 | 2023-08-21 | 2023-07-21 | 2023-06-21 | 2023-05-21 | 2023-04-21 | 2023-03-21 | 2023-02-21 | 2023-01-21 | 2022-12-21 | 2022-11-21 | 2022-10-21 | 2022-09-21 | 2022-08-21 | 2022-07-21 | 2022-06-21 | 2022-05-21 | 2022-04-21 | 2022-03-21 | 2022-02-21 | 2022-01-21 | 2021-12-21 | 2021-11-21 | 2021-10-21 | 2021-09-21 | 2021-08-21 | 2021-07-21 | 2021-06-21 | 2021-05-21 | 2021-04-21 | 2021-03-21 | 2021-02-21 | 2021-01-21 | 2020-12-21 | 2020-11-21 | 2020-10-21 | 2020-09-21 | 2020-08-21 | 2020-07-21 | 2020-06-21 | 2020-05-21 | 2020-04-21 | 2020-03-21 | 2020-02-21 | 2020-01-21 | 2019-12-21 | 2019-11-21 | 2019-10-21 | 2019-09-21 | 2019-08-21 | 2019-07-21 | 2019-06-21 | 2019-05-21 | 2019-04-21 | 2019-03-21 | 2019-02-21 | 2019-01-21 | 2018-12-21 | 2018-11-21 | 2018-10-21 | 2018-09-21 | 2018-08-21 | 2018-07-21 | 2018-06-21 | 2018-05-21 | 2018-04-21 | 2018-03-21 | 2018-02-21 | 2018-01-21 | 2017-12-21 | 2017-11-21 | 2017-10-21 | 2017-09-21 | 2017-08-21 | 2017-07-21 | 2017-06-21 | 2017-05-21 | 2017-04-21 | 2017-03-21 | 2017-02-21 | 2017-01-21 | 2016-12-21 | 2016-11-21 | 2016-10-21 | 2016-09-21 | 2016-08-21 | 2016-07-21 | 2016-06-21 | 2016-05-21 | 2016-04-21 | 2016-03-21 | 2016-02-21 | 2016-01-21 | 2015-12-21 | 2015-11-21 | 2015-10-21 | 2015-09-21 | 2015-08-21 | 2015-07-21 | 2015-06-21 | 2015-05-21 | 2015-04-21 | 2015-03-21 | 2015-02-21 | 2015-01-21 | 2014-12-21 | 2014-11-21 | 2014-10-21 | 2014-09-21 | 2014-08-21 | 2014-07-21 | 2014-06-21 | 2014-05-21 | 2014-04-21 | 2014-03-21 | 2014-02-21 | 2014-01-21 | 2013-12-21 | 2013-11-21 | 2013-10-21 | 2013-09-21 | 2013-08-21 | 2013-07-21 | 2013-06-21 | 2013-05-21 | 2013-04-21 | 2013-03-21 | 2013-02-21 | 2013-01-21 | 2012-12-21 | 2012-11-21 | 2012-10-21 | 2012-09-21 | 2012-08-21 | 2012-07-21 | 2012-06-21 | 2012-05-21 | 2012-04-21 | 2012-03-21 | 2012-02-21 | 2012-01-21 | 2011-12-21 | 2011-11-21 | 2011-10-21 | 2011-09-21 | 2011-08-21 | 2011-07-21 | 2011-06-21 | 2011-05-21 | 2011-04-21 | 2011-03-21 | 2011-02-21 | 2011-01-21 | 2010-12-21 | 2010-11-21 | 2010-10-21 | 2010-09-21 | 2010-08-21 | 2010-07-21 | 2010-06-21 | 2010-05-21 | 2010-04-21 | 2010-03-21 | 2010-02-21 | 2010-01-21 | 2009-12-21 | 2009-11-21 | 2009-10-21 | 2009-09-21 | 2009-08-21 | 2009-07-21 | 2009-06-21 | 2009-05-21 | 2009-04-21 | 2009-03-21 | 2009-02-21 | 2009-01-21 | 2008-12-21 | 2008-11-21 | 2008-10-21 | 2008-09-21 | 2008-08-21 | 2008-07-21 | 2008-06-21 | 2008-05-21 | 2008-04-21 | 2008-03-21 | 2008-02-21 | 2008-01-21 | 2007-12-21 | 2007-11-21 | 2007-10-21 | 2007-09-21 | 2007-08-21 | 2007-07-21 | 2007-06-21 | 2007-05-21 | 2007-04-21 | 2007-03-21 | 2007-02-21 | 2007-01-21 | 2006-12-21 | 2006-11-21 | 2006-10-21 | 2006-09-21 | 2006-08-21 | 2006-07-21 | 2006-06-21 | 2006-05-21 | 2006-04-21 | 2006-03-21 | 2006-02-21 | 2006-01-21 | 2005-12-21 | 2005-11-21 | 2005-10-21 | 2005-09-21 | 2005-08-21 | 2005-07-21 | 2005-06-21 | 2005-05-21 | 2005-04-21 | 2005-03-21 | 2005-02-21 | 2005-01-21 | 2004-12-21 | 2004-11-21 | 2004-10-21 | 2004-09-21 | 2004-08-21 | 2004-07-21 | 2004-06-21 | 2004-05-21 | 2004-04-21 | 2004-03-21 | 2004-02-21 | 2004-01-21 | 2003-12-21 | 2003-11-21 | 2003-10-21 | 2003-09-21 | 2003-08-21 | 2003-07-21 | 2003-06-21 | 2003-05-21 | 2003-04-21 | 2003-03-21 | 2003-02-21 | 2003-01-21 | 2002-12-21 | 2002-11-21 | 2002-10-21 | 2002-09-21 | 2002-08-21 | 2002-07-21 | 2002-06-21 | 2002-05-21 | 2002-04-21 | 2002-03-21 | 2002-02-21 | 2002-01-21 | 2001-12-21 | 2001-11-21 | 2001-10-21 | 2001-09-21 | 2001-08-21 | 2001-07-21 | 2001-06-21 | 2001-05-21 | 2001-04-21 | 2001-03-21 | 2001-02-21 | 2001-01-21 | 2000-12-21 | 2000-11-21 | 2000-10-21 | 2000-09-21 | 2000-08-21 | 2000-07-21 | 2000-06-21 | 2000-05-21 | 2000-04-21 | 2000-03-21 | 2000-02-21 | 2000-01-21 | 1999-12-21

Key: Value:

MESSAGE

DATE	2024-02-18
FROM	Mithun Bhattacharya
SUBJECT	Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
From hangout-bounces-at-nylxs.com Sun Feb 18 23:46:18 2024 Return-Path: X-Original-To: archive-at-mrbrklyn.com Delivered-To: archive-at-mrbrklyn.com Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82]) by mrbrklyn.com (Postfix) with ESMTP id 646E71640B5; Sun, 18 Feb 2024 23:46:12 -0500 (EST) X-Original-To: hangout-at-www2.mrbrklyn.com Delivered-To: hangout-at-www2.mrbrklyn.com Received: by mrbrklyn.com (Postfix, from userid 1000) id CE73C1640A3; Sun, 18 Feb 2024 23:45:57 -0500 (EST) Resent-From: Ruben Safir Resent-Date: Sun, 18 Feb 2024 23:45:57 -0500 Resent-Message-ID: <20240219044557.GB20445-at-www2.mrbrklyn.com> Resent-To: hangout-at-mrbrklyn.com X-Original-To: ruben-at-mrbrklyn.com Delivered-To: ruben-at-mrbrklyn.com Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.apache.org", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mrbrklyn.com (Postfix) with ESMTPS id 070F41640A3 for ; Sun, 18 Feb 2024 16:41:17 -0500 (EST) Received: from mail.apache.org (mailgw-he-de.apache.org [116.203.246.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with ESMTPS id 1C7F8455C1 for ; Sun, 18 Feb 2024 21:41:17 +0000 (UTC) Received: (qmail 1444354 invoked by uid 998); 18 Feb 2024 21:41:11 -0000 Mailing-List: contact modperl-help-at-perl.apache.org; run by ezmlm Precedence: bulk Delivered-To: mailing list modperl-at-perl.apache.org Received: (qmail 1444293 invoked by uid 116); 18 Feb 2024 21:41:11 -0000 Received: from spamproc1-he-de.apache.org (HELO spamproc1-he-de.apache.org) (116.203.196.100) by apache.org (qpsmtpd/0.94) with ESMTP; Sun, 18 Feb 2024 21:41:11 +0000 Authentication-Results: apache.org; auth=none Received: from localhost (localhost [127.0.0.1]) by spamproc1-he-de.apache.org (ASF Mail Server at spamproc1-he-de.apache.org) with ESMTP id 079C61FFC8E for ; Sun, 18 Feb 2024 21:41:11 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamproc1-he-de.apache.org X-Spam-Flag: NO X-Spam-Score: -5 X-Spam-Level: X-Spam-Status: No, score=-5 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamproc1-he-de.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([116.203.227.195]) by localhost (spamproc1-he-de.apache.org [116.203.196.100]) (amavisd-new, port 10024) with ESMTP id TT49r5Eup4x7 for ; Sun, 18 Feb 2024 21:41:10 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::92e; helo=mail-ua1-x92e.google.com; envelope-from=mithnb-at-gmail.com; receiver= Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 2F4187E61A for ; Sun, 18 Feb 2024 21:41:10 +0000 (UTC) Received: by mail-ua1-x92e.google.com with SMTP id a1e0cc1a2514c-7d5c25267deso1685610241.3 for ; Sun, 18 Feb 2024 13:41:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708292463; x=1708897263; darn=perl.apache.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=OG6q08fGTRh7KUUd1uRtxyJq+PmHy0IV+n0jxy5giKQ=; b=Y3YEiuxz2mPqvNQecmJ0Kdc3vpm+8h9QiXM5DcN7/n5i0dB9/mHP3Vx+ErqkzQlxh+ uFNDs64DGoX/Gktlbf/PCDDltXnynBoL3i1+UD0gE96V0hTTwQVC3ZWBZPyados2+d5k bWPoX+9szE8mWJaYQWbbDaD9unBmwkSy+NBhM4a90DSFcqFBu4c/2IDo4eo1b3yCL0kY eH3QmsyXkd1xdD9y3XK74IZPfASOtE34lW2i1DdMX3xWdg86cxEw/5i1Bo/LON9AqZaw B9uGj9ki5PXjAtNx2lml0csMufqfwp+6T93GEpdHwBZBdsRBA640Fz6iWnvgAoq2k11I lgDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708292463; x=1708897263; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=OG6q08fGTRh7KUUd1uRtxyJq+PmHy0IV+n0jxy5giKQ=; b=UJy+h1NBzszg6ICM09vPwPHqrOIP3heygSzK6YauJkOMKwZfWH8Hd7R1VTiyMNAlnD D7qnn7IecUf9r0DlxpTAtzhOy0daJjOjKnyIBOLOCTuRUQZZjIXhn28qYbVKn+7ecPdw 7PnzWM8/fSUDnxHRksOpc3iO7NLHgVQ2S5nQMtXTwPpj1Vmgwi3LigT18hpSgsb/+HDd sZQqHwiuOvHW8sCXIyEPjIVC5nTCb+q9MBzrY1QMyM1e4TS/Ro2++MKjiL+xJkJLcvFU zcZTAO9OCdt7OtSYDcBOWP2T17rZeFLoK5y2fVU2gbOvXa5tpDCS7iVjLXHEU8VbPYvz tFpw== X-Gm-Message-State: AOJu0YymAFaQJmBcyE3U1rfyZirVuskgguz1uMcqF3INJSG4F8hzjT/O gSU46Kak3TQxHc8eLu15CVtLJ+25Iri/e49FPY0+UkkSPBJMe8VI89t0+AxfNkFI6yBE0uxoGaw mTAzUrY7LygF34qXvtnLKJKGLQEekXiTh X-Google-Smtp-Source: AGHT+IFubf5mpS+HkdfFkA90lHmtWFwr6neDUjTaCay54e2Dk33AwhVZnjdhZSkBYQxPWzlPnRqal9Z/irQoJZNMbNA= X-Received: by 2002:a05:6102:128e:b0:470:3f14:fc04 with SMTP id jc14-20020a056102128e00b004703f14fc04mr2215145vsb.3.1708292463261; Sun, 18 Feb 2024 13:41:03 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Mithun Bhattacharya Date: Sun, 18 Feb 2024 15:40:51 -0600 Message-ID: To: mod_perl list Subject: Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request users X-BeenThere: hangout-at-nylxs.com X-Mailman-Version: 2.1.30rc1 List-Id: NYLXS Tech Talk and Politics List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0396311161==" Errors-To: hangout-bounces-at-nylxs.com Sender: "Hangout" --===============0396311161== Content-Type: multipart/alternative; boundary="00000000000071ff7b0611aed590" --00000000000071ff7b0611aed590 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable So it will be moved to retired I assume or are they going to break their own rules and purge it altogether? On Sun, Feb 18, 2024, 3:33=E2=80=AFPM Joe Schaefer wro= te: > 2.18 will never be released. They are shutting down the project. > > Joe Schaefer, Ph.D. > > Orion - The Enterprise Jamstack Wiki > > > 954.253.3732 > > > > > On Sun, Feb 18, 2024 at 4:32=E2=80=AFPM Mithun Bhattacharya .com> > wrote: > >> Could you clarify this - 2.17 has a critical bug and 2.18 is about to >> come out which doesn't have a good enough patch so how would trunk be an= y >> better? >> >> Also how is this passing make test or were the test cases modified to >> make the bug pass ? >> >> >> On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer = wrote: >> >>> Trunk is the safe bet. >>> >>> Joe Schaefer, Ph.D. >>> >>> Orion - The Enterprise Jamstack Wiki >>> >>> >>> 954.253.3732 >>> >>> >>> >>> >>> On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya il.com> >>> wrote: >>> >>>> So is there a cleaner/saner version of libapreq2 or is the 2012 versio= n >>>> better ? >>>> >>>> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer m> wrote: >>>> >>>>> For the past 25 years, I have been the lead developer of the libapreq= 2 >>>>> subproject within the Apache HTTPd Server Parent Project. The origina= l idea >>>>> of libapreq as a safe/performant HTML form and Cookie parsing library= came >>>>> out of a collaboration between Lincoln Stein and Doug MacEachern in t= he >>>>> late 90s. >>>>> >>>>> It was my vision back then to transform the library into a generic, >>>>> non-Perl related C library that would support language bindings from = other >>>>> programming languages, which is why I pushed for the project to be ho= mes >>>>> under the HTTPd umbrella instead of the Apache-Perl project. >>>>> >>>>> While this vision was wildly successful, with language bindings >>>>> available for several languages like Perl, TCL, R, etc, ever since ab= out >>>>> 2010 its proven tragic for the existing user community consisting of = all of >>>>> them, not just Perl. >>>>> >>>>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at th= e >>>>> time, started agitating that we promote the project to be released fr= om >>>>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very = well back then >>>>> was how utterly vapid and territorial that team had become, which wou= ld >>>>> have meant having to collaborate with them directly on user-facing >>>>> decisions about the code base. >>>>> >>>>> In 2012, Philip got what he wanted and I stopped resisting, so he >>>>> forked the existing project and copied the C library components into = HTTPd >>>>> core. >>>>> >>>>> In 2016 I resigned from the Foundation en masse. You can guess the >>>>> reasons. >>>>> >>>>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an al= pha >>>>> release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It foun= d a >>>>> few hotspots that needed repair. >>>>> >>>>> Instead of having the courtesy of reaching out to me, or anyone else >>>>> involved in development of apreq, a junior engineer on the HTTPd team= went >>>>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilitie= s Google found. You >>>>> can see a record of his trial and error work in every release since t= hen. >>>>> >>>>> But the coup de grace was the 2022 release of 2.17, wherein the rooki= e >>>>> developer purposely introduced a fatal bug into the codebase, breakin= g a >>>>> fifteen year old regression test. >>>>> >>>>> If you are wondering how something with a broken regression test wind= s >>>>> up on CPAN, you=E2=80=99ll have to look into how RELENG is done in th= e server >>>>> project. >>>>> >>>>> Long story short, they commented out the test and shipped it anyway, >>>>> and called it a Security Release that fixed a vulnerability every pri= or >>>>> release was susceptible to. >>>>> >>>>> Why do I care now? Because I=E2=80=99m the sucker users reach out to = for >>>>> answers as a known subject matter expert. >>>>> >>>>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing th= e >>>>> Superman cape at Apache ended 8 years ago. >>>>> >>>>> -- >>>>> Joe Schaefer, Ph.D. >>>>> >>>>> Orion - The Enterprise Jamstack Wiki >>>>> >>>>> >>>>> 954.253.3732 >>>>> >>>>> >>>>> --00000000000071ff7b0611aed590 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable So it will be moved to retired I assume or are they = going to break their own rules and purge it altogether? =3D"gmail_quote"> On Sun, Feb 18, 2024= , 3:33=E2=80=AFPM Joe Schaefer <jo= e-at-sunstarsys.com> wrote: style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">v dir=3D"auto">2.18 will never be released. They are shutting down the proj= ect. l_signature" data-smartmail=3D"gmail_signature"> Joe Schaef= er, Ph.D. target=3D"_blank" rel=3D"noreferrer">ent.com/mail-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYt= cI8RGqtr3HBrV6fAW1Hn4"> on/features" target=3D"_blank" rel=3D"noreferrer">Orion - The Enterprise Ja= mstack Wiki <s.com" target=3D"_blank" rel=3D"noreferrer">joe-at-sunstarsys.com>> 9= 54.253.3732 = ltr" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 4:32=E2=80=AFPM Mithun Bh= attacharya <"noreferrer">mithnb-at-gmail.com> wrote: gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-= left:1ex"> Could you clarify this - 2.17 has a critic= al bug and 2.18 is about to come out which doesn't have a good enough p= atch so how would trunk be any better? v dir=3D"auto">Also how is this passing make test or were the test cases mo= dified to make the bug pass ? "> "gmail_attr">On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer <=3D"mailto:joe-at-sunstarsys.com" target=3D"_blank" rel=3D"noreferrer">joe-at-sun= starsys.com> wrote: =3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> =3D"auto">Trunk is the safe bet. iv dir=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_signature"= > Joe Schaefer, Ph.D. starsys.com/orion/features" rel=3D"noreferrer noreferrer" target=3D"_blank"= >av9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> v>errer" target=3D"_blank">Orion - The Enterprise Jamstack Wiki = <noreferrer" target=3D"_blank">joe-at-sunstarsys.com> =3D"tel://954.253.3732" rel=3D"noreferrer noreferrer" target=3D"_blank">954= .253.3732 div> r" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhat= tacharya <er" target=3D"_blank">mithnb-at-gmail.com> wrote: class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid= ;padding-left:1ex"> So is there a cleaner/saner version of= libapreq2 or is the 2012 version better ? te"> On Sun, Feb 18, 2024, 12:58=E2=80= =AFPM Joe Schaefer <rer noreferrer" target=3D"_blank">joe-at-sunstarsys.com> wrote: v> 1px #ccc solid;padding-left:1ex"> 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">For the past 25 years, I have been the lead = developer of the libapreq2 subproject within the Apache HTTPd Server Parent= Project. The original idea of libapreq as a safe/performant HTML form and = Cookie parsing library came out of a collaboration between Lincoln Stein an= d Doug MacEachern in the late 90s. ;font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color= :rgb(246,246,239)">It was my vision back then to transform the library into= a generic, non-Perl related C library that would support language bindings= from other programming languages, which is why I pushed for the project to= be homes under the HTTPd umbrella instead of the Apache-Perl project. <= p style=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;fon= t-size:13.3333px;background-color:rgb(246,246,239)">While this vision was w= ildly successful, with language bindings available for several languages li= ke Perl, TCL, R, etc, ever since about 2010 its proven tragic for the exist= ing user community consisting of all of them, not just Perl. "color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.= 3333px;background-color:rgb(246,246,239)">What happened? Philip Gollucci, a= Perl/FreeBSD olleague of mine at the time, started agitating that we promo= te the project to be released from inside the HTTPd server itself. What Phi= lip didn=E2=80=99t know very well back then was how utterly vapid and terri= torial that team had become, which would have meant having to collaborate w= ith them directly on user-facing decisions about the code base. =3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:= 13.3333px;background-color:rgb(246,246,239)">In 2012, Philip got what he wa= nted and I stopped resisting, so he forked the existing project and copied = the C library components into HTTPd core. 130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-c= olor:rgb(246,246,239)">In 2016 I resigned from the Foundation en masse. You= can guess the reasons. erdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,2= 39)">In 2020 or so, Google=E2=80=99s Security Team took advantage of an alp= ha release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a= few hotspots that needed repair. t-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb= (246,246,239)">Instead of having the courtesy of reaching out to me, or any= one else involved in development of apreq, a junior engineer on the HTTPd t= eam went about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabili= ties Google found. You can see a record of his trial and error work in ever= y release since then. dana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239= )">But the coup de grace was the 2022 release of 2.17, wherein the rookie d= eveloper purposely introduced a fatal bug into the codebase, breaking a fif= teen year old regression test. amily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(24= 6,246,239)">If you are wondering how something with a broken regression tes= t winds up on CPAN, you=E2=80=99ll have to look into how RELENG is done in = the server project. na,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)"= >Long story short, they commented out the test and shipped it anyway, and c= alled it a Security Release that fixed a vulnerability every prior release = was susceptible to. na,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)"= >Why do I care now? Because I=E2=80=99m the sucker users reach out to for a= nswers as a known subject matter expert. 30);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-co= lor:rgb(246,246,239)">This sucks, but I=E2=80=99m sorry to tell you that my= days wearing the Superman cape at Apache ended 8 years ago. div>-- lass=3D"gmail_signature" data-smartmail=3D"gmail_signature"> ">Joe Schaefer, Ph.D. n/features" rel=3D"noreferrer noreferrer noreferrer" target=3D"_blank"> src=3D"https://ci3.googleusercontent.com/mail-sig/AIorK4znBF_TAme6pCiav9cg= wbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> href=3D"https://sunstarsys.com/orion/features" rel=3D"noreferrer noreferrer= noreferrer" target=3D"_blank">Orion - The Enterprise Jamstack Wiki = <errer noreferrer noreferrer" target=3D"_blank">joe-at-sunstarsys.com>div> rrer" target=3D"_blank">954.253.3732 > --00000000000071ff7b0611aed590-- --===============0396311161== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout --===============0396311161==-- --===============0396311161== Content-Type: multipart/alternative; boundary="00000000000071ff7b0611aed590" --00000000000071ff7b0611aed590 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable So it will be moved to retired I assume or are they going to break their own rules and purge it altogether? On Sun, Feb 18, 2024, 3:33=E2=80=AFPM Joe Schaefer wro= te: > 2.18 will never be released. They are shutting down the project. > > Joe Schaefer, Ph.D. > > Orion - The Enterprise Jamstack Wiki > > > 954.253.3732 > > > > > On Sun, Feb 18, 2024 at 4:32=E2=80=AFPM Mithun Bhattacharya .com> > wrote: > >> Could you clarify this - 2.17 has a critical bug and 2.18 is about to >> come out which doesn't have a good enough patch so how would trunk be an= y >> better? >> >> Also how is this passing make test or were the test cases modified to >> make the bug pass ? >> >> >> On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer = wrote: >> >>> Trunk is the safe bet. >>> >>> Joe Schaefer, Ph.D. >>> >>> Orion - The Enterprise Jamstack Wiki >>> >>> >>> 954.253.3732 >>> >>> >>> >>> >>> On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya il.com> >>> wrote: >>> >>>> So is there a cleaner/saner version of libapreq2 or is the 2012 versio= n >>>> better ? >>>> >>>> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer m> wrote: >>>> >>>>> For the past 25 years, I have been the lead developer of the libapreq= 2 >>>>> subproject within the Apache HTTPd Server Parent Project. The origina= l idea >>>>> of libapreq as a safe/performant HTML form and Cookie parsing library= came >>>>> out of a collaboration between Lincoln Stein and Doug MacEachern in t= he >>>>> late 90s. >>>>> >>>>> It was my vision back then to transform the library into a generic, >>>>> non-Perl related C library that would support language bindings from = other >>>>> programming languages, which is why I pushed for the project to be ho= mes >>>>> under the HTTPd umbrella instead of the Apache-Perl project. >>>>> >>>>> While this vision was wildly successful, with language bindings >>>>> available for several languages like Perl, TCL, R, etc, ever since ab= out >>>>> 2010 its proven tragic for the existing user community consisting of = all of >>>>> them, not just Perl. >>>>> >>>>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at th= e >>>>> time, started agitating that we promote the project to be released fr= om >>>>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very = well back then >>>>> was how utterly vapid and territorial that team had become, which wou= ld >>>>> have meant having to collaborate with them directly on user-facing >>>>> decisions about the code base. >>>>> >>>>> In 2012, Philip got what he wanted and I stopped resisting, so he >>>>> forked the existing project and copied the C library components into = HTTPd >>>>> core. >>>>> >>>>> In 2016 I resigned from the Foundation en masse. You can guess the >>>>> reasons. >>>>> >>>>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an al= pha >>>>> release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It foun= d a >>>>> few hotspots that needed repair. >>>>> >>>>> Instead of having the courtesy of reaching out to me, or anyone else >>>>> involved in development of apreq, a junior engineer on the HTTPd team= went >>>>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilitie= s Google found. You >>>>> can see a record of his trial and error work in every release since t= hen. >>>>> >>>>> But the coup de grace was the 2022 release of 2.17, wherein the rooki= e >>>>> developer purposely introduced a fatal bug into the codebase, breakin= g a >>>>> fifteen year old regression test. >>>>> >>>>> If you are wondering how something with a broken regression test wind= s >>>>> up on CPAN, you=E2=80=99ll have to look into how RELENG is done in th= e server >>>>> project. >>>>> >>>>> Long story short, they commented out the test and shipped it anyway, >>>>> and called it a Security Release that fixed a vulnerability every pri= or >>>>> release was susceptible to. >>>>> >>>>> Why do I care now? Because I=E2=80=99m the sucker users reach out to = for >>>>> answers as a known subject matter expert. >>>>> >>>>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing th= e >>>>> Superman cape at Apache ended 8 years ago. >>>>> >>>>> -- >>>>> Joe Schaefer, Ph.D. >>>>> >>>>> Orion - The Enterprise Jamstack Wiki >>>>> >>>>> >>>>> 954.253.3732 >>>>> >>>>> >>>>> --00000000000071ff7b0611aed590 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable So it will be moved to retired I assume or are they = going to break their own rules and purge it altogether? =3D"gmail_quote"> On Sun, Feb 18, 2024= , 3:33=E2=80=AFPM Joe Schaefer <jo= e-at-sunstarsys.com> wrote: style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">v dir=3D"auto">2.18 will never be released. They are shutting down the proj= ect. l_signature" data-smartmail=3D"gmail_signature"> Joe Schaef= er, Ph.D. target=3D"_blank" rel=3D"noreferrer">ent.com/mail-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYt= cI8RGqtr3HBrV6fAW1Hn4"> on/features" target=3D"_blank" rel=3D"noreferrer">Orion - The Enterprise Ja= mstack Wiki <s.com" target=3D"_blank" rel=3D"noreferrer">joe-at-sunstarsys.com>> 9= 54.253.3732 = ltr" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 4:32=E2=80=AFPM Mithun Bh= attacharya <"noreferrer">mithnb-at-gmail.com> wrote: gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-= left:1ex"> Could you clarify this - 2.17 has a critic= al bug and 2.18 is about to come out which doesn't have a good enough p= atch so how would trunk be any better? v dir=3D"auto">Also how is this passing make test or were the test cases mo= dified to make the bug pass ? "> "gmail_attr">On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer <=3D"mailto:joe-at-sunstarsys.com" target=3D"_blank" rel=3D"noreferrer">joe-at-sun= starsys.com> wrote: =3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> =3D"auto">Trunk is the safe bet. iv dir=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_signature"= > Joe Schaefer, Ph.D. starsys.com/orion/features" rel=3D"noreferrer noreferrer" target=3D"_blank"= >av9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> v>errer" target=3D"_blank">Orion - The Enterprise Jamstack Wiki = <noreferrer" target=3D"_blank">joe-at-sunstarsys.com> =3D"tel://954.253.3732" rel=3D"noreferrer noreferrer" target=3D"_blank">954= .253.3732 div> r" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhat= tacharya <er" target=3D"_blank">mithnb-at-gmail.com> wrote: class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid= ;padding-left:1ex"> So is there a cleaner/saner version of= libapreq2 or is the 2012 version better ? te"> On Sun, Feb 18, 2024, 12:58=E2=80= =AFPM Joe Schaefer <rer noreferrer" target=3D"_blank">joe-at-sunstarsys.com> wrote: v> 1px #ccc solid;padding-left:1ex"> 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">For the past 25 years, I have been the lead = developer of the libapreq2 subproject within the Apache HTTPd Server Parent= Project. The original idea of libapreq as a safe/performant HTML form and = Cookie parsing library came out of a collaboration between Lincoln Stein an= d Doug MacEachern in the late 90s. ;font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color= :rgb(246,246,239)">It was my vision back then to transform the library into= a generic, non-Perl related C library that would support language bindings= from other programming languages, which is why I pushed for the project to= be homes under the HTTPd umbrella instead of the Apache-Perl project. <= p style=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;fon= t-size:13.3333px;background-color:rgb(246,246,239)">While this vision was w= ildly successful, with language bindings available for several languages li= ke Perl, TCL, R, etc, ever since about 2010 its proven tragic for the exist= ing user community consisting of all of them, not just Perl. "color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.= 3333px;background-color:rgb(246,246,239)">What happened? Philip Gollucci, a= Perl/FreeBSD olleague of mine at the time, started agitating that we promo= te the project to be released from inside the HTTPd server itself. What Phi= lip didn=E2=80=99t know very well back then was how utterly vapid and terri= torial that team had become, which would have meant having to collaborate w= ith them directly on user-facing decisions about the code base. =3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:= 13.3333px;background-color:rgb(246,246,239)">In 2012, Philip got what he wa= nted and I stopped resisting, so he forked the existing project and copied = the C library components into HTTPd core. 130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-c= olor:rgb(246,246,239)">In 2016 I resigned from the Foundation en masse. You= can guess the reasons. erdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,2= 39)">In 2020 or so, Google=E2=80=99s Security Team took advantage of an alp= ha release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a= few hotspots that needed repair. t-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb= (246,246,239)">Instead of having the courtesy of reaching out to me, or any= one else involved in development of apreq, a junior engineer on the HTTPd t= eam went about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabili= ties Google found. You can see a record of his trial and error work in ever= y release since then. dana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239= )">But the coup de grace was the 2022 release of 2.17, wherein the rookie d= eveloper purposely introduced a fatal bug into the codebase, breaking a fif= teen year old regression test. amily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(24= 6,246,239)">If you are wondering how something with a broken regression tes= t winds up on CPAN, you=E2=80=99ll have to look into how RELENG is done in = the server project. na,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)"= >Long story short, they commented out the test and shipped it anyway, and c= alled it a Security Release that fixed a vulnerability every prior release = was susceptible to. na,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)"= >Why do I care now? Because I=E2=80=99m the sucker users reach out to for a= nswers as a known subject matter expert. 30);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-co= lor:rgb(246,246,239)">This sucks, but I=E2=80=99m sorry to tell you that my= days wearing the Superman cape at Apache ended 8 years ago. div>-- lass=3D"gmail_signature" data-smartmail=3D"gmail_signature"> ">Joe Schaefer, Ph.D. n/features" rel=3D"noreferrer noreferrer noreferrer" target=3D"_blank"> src=3D"https://ci3.googleusercontent.com/mail-sig/AIorK4znBF_TAme6pCiav9cg= wbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> href=3D"https://sunstarsys.com/orion/features" rel=3D"noreferrer noreferrer= noreferrer" target=3D"_blank">Orion - The Enterprise Jamstack Wiki = <errer noreferrer noreferrer" target=3D"_blank">joe-at-sunstarsys.com>div> rrer" target=3D"_blank">954.253.3732 > --00000000000071ff7b0611aed590-- --===============0396311161== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout --===============0396311161==--