MESSAGE
DATE | 2024-02-18 |
FROM | Joe Schaefer
|
SUBJECT | Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
|
From hangout-bounces-at-nylxs.com Sun Feb 18 23:46:25 2024 Return-Path: X-Original-To: archive-at-mrbrklyn.com Delivered-To: archive-at-mrbrklyn.com Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82]) by mrbrklyn.com (Postfix) with ESMTP id 893811640C0; Sun, 18 Feb 2024 23:46:24 -0500 (EST) X-Original-To: hangout-at-www2.mrbrklyn.com Delivered-To: hangout-at-www2.mrbrklyn.com Received: by mrbrklyn.com (Postfix, from userid 1000) id C006F1640A9; Sun, 18 Feb 2024 23:45:57 -0500 (EST) Resent-From: Ruben Safir Resent-Date: Sun, 18 Feb 2024 23:45:57 -0500 Resent-Message-ID: <20240219044557.GA20445-at-www2.mrbrklyn.com> Resent-To: hangout-at-mrbrklyn.com X-Original-To: ruben-at-mrbrklyn.com Delivered-To: ruben-at-mrbrklyn.com Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.apache.org", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mrbrklyn.com (Postfix) with ESMTPS id DC4911640A3 for ; Sun, 18 Feb 2024 16:43:09 -0500 (EST) Received: from mail.apache.org (mailgw-he-de.apache.org [116.203.246.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with ESMTPS id E802A4563F for ; Sun, 18 Feb 2024 21:43:08 +0000 (UTC) Received: (qmail 1446407 invoked by uid 998); 18 Feb 2024 21:43:03 -0000 Mailing-List: contact modperl-help-at-perl.apache.org; run by ezmlm Precedence: bulk Delivered-To: mailing list modperl-at-perl.apache.org Received: (qmail 1446378 invoked by uid 116); 18 Feb 2024 21:43:02 -0000 Received: from spamproc1-he-de.apache.org (HELO spamproc1-he-de.apache.org) (116.203.196.100) by apache.org (qpsmtpd/0.94) with ESMTP; Sun, 18 Feb 2024 21:43:02 +0000 Authentication-Results: apache.org; auth=none Received: from localhost (localhost [127.0.0.1]) by spamproc1-he-de.apache.org (ASF Mail Server at spamproc1-he-de.apache.org) with ESMTP id C58011FFAC6 for ; Sun, 18 Feb 2024 21:43:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamproc1-he-de.apache.org X-Spam-Flag: NO X-Spam-Score: -5 X-Spam-Level: X-Spam-Status: No, score=-5 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamproc1-he-de.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=sunstarsys.com Received: from mx1-he-de.apache.org ([116.203.227.195]) by localhost (spamproc1-he-de.apache.org [116.203.196.100]) (amavisd-new, port 10024) with ESMTP id O85PFv2EQhXn for ; Sun, 18 Feb 2024 21:43:00 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::52d; helo=mail-pg1-x52d.google.com; envelope-from=joe-at-sunstarsys.com; receiver= Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 366477E61A for ; Sun, 18 Feb 2024 21:43:00 +0000 (UTC) Received: by mail-pg1-x52d.google.com with SMTP id 41be03b00d2f7-5dcc4076c13so1854389a12.0 for ; Sun, 18 Feb 2024 13:43:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sunstarsys.com; s=google; t=1708292573; x=1708897373; darn=perl.apache.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XQ6jzBJ2c/N3h4mGdc+heSaxlDSSRDQME/ofZAAIeaU=; b=bpdvkRHjLjqM9J2srVdNryIUUVra+F9BLNQZEiYthwisW/1Np5rPJZU8OTRRddZPU8 2iVapfWT1PIjCN+D/brDLn1CHLmI8Q+dvq56f9VWkLTU+VjBQCdSOfmwikOKbSFs4c6k yBQcyGVizCoevDLdJqgv3oJZYgXIO/r25l/tDtVYSw9OikV0d5b76JY2TIdPt9jeq63k pYEcrNLWc0lqCPPfAsVP/CF782AdniB/MGConKSJQiz/ie3Qel/rBOXsFUOkegU/L6PZ 8c8fW1pwbETRiqbw7+NB6TBQBqBoLsx8Ph6iLaIKSDhiRGxEnfsMOIvZDqGn7Ci+zOKF 4Eog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708292573; x=1708897373; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XQ6jzBJ2c/N3h4mGdc+heSaxlDSSRDQME/ofZAAIeaU=; b=Vz0QITQI/xyGp/F9eildRQ/DL8D982RkRUzmDzLgyJzObi9MmnnI7Y9O78ghe0OTGt x9Exij2pupYfmhIv52JohdEPMhkks/FB+AGhDMdDJgyUrej8AH8/JgK1FFMi476sz4OA FqEdIMgqFxc8izHqsqQv7fpgODcKcC+WYzwmxLEXearODS2BzSWyOSJGqPUW7EqmxwgZ +Gs51JzVKw31q6qlCzXWTRdHuR/hLR1ba0DtgnjGdEqew3iX1eliCi8mJ493Np8tNLL0 T8tY4cA3b1KtoY96y9oKC6jdqwPTza685G+Ny1pLDE6GqAekAVSeH5J4f/Uin6n9z8XG kz7w== X-Gm-Message-State: AOJu0YzJ9/lBaet1vVgLqhnL0uc2LsBQts27AosvBQjcQKtbDMJNJGLy h6qxrMHJ2EPqeK4F4MMRIFhxYR6cqxO7VJoOw827/CKNyhzh/UGMaGqhY/BqbfemJSBbYPFGfau ctT4Q7hkJO3Jh44/UUPWPow67tPO95OpGs+11VQ== X-Google-Smtp-Source: AGHT+IE/1rKQgOnTHdStL3/QUFur+rCEbOFLW+YNUhLMMPTnrDI3I5XKU9kuMhqM7dJdbzIventi9B3gVIDqEnOMk5c= X-Received: by 2002:a17:90a:c41:b0:297:12da:505d with SMTP id u1-20020a17090a0c4100b0029712da505dmr18552417pje.8.1708292572715; Sun, 18 Feb 2024 13:42:52 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Joe Schaefer Date: Sun, 18 Feb 2024 16:42:42 -0500 Message-ID: To: Mithun Bhattacharya Cc: mod_perl list Subject: Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request users X-BeenThere: hangout-at-nylxs.com X-Mailman-Version: 2.1.30rc1 List-Id: NYLXS Tech Talk and Politics List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0066463209==" Errors-To: hangout-bounces-at-nylxs.com Sender: "Hangout"
--===============0066463209== Content-Type: multipart/alternative; boundary="000000000000f82f850611aedbe8"
--000000000000f82f850611aedbe8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Would you trust any of them at this point?
I have a copy of svn trunk. I will never use anything they release, no matter what they call it.
Joe Schaefer, Ph.D.
Orion - The Enterprise Jamstack Wiki >
954.253.3732 /954.253.3732>
On Sun, Feb 18, 2024 at 4:41=E2=80=AFPM Mithun Bhattacharya om> wrote:
> So it will be moved to retired I assume or are they going to break their > own rules and purge it altogether? > > > On Sun, Feb 18, 2024, 3:33=E2=80=AFPM Joe Schaefer w= rote: > >> 2.18 will never be released. They are shutting down the project. >> >> Joe Schaefer, Ph.D. >> >> Orion - The Enterprise Jamstack Wiki >> >> >> 954.253.3732 /954.253.3732> >> >> >> >> >> On Sun, Feb 18, 2024 at 4:32=E2=80=AFPM Mithun Bhattacharya l.com> >> wrote: >> >>> Could you clarify this - 2.17 has a critical bug and 2.18 is about to >>> come out which doesn't have a good enough patch so how would trunk be a= ny >>> better? >>> >>> Also how is this passing make test or were the test cases modified to >>> make the bug pass ? >>> >>> >>> On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer = wrote: >>> >>>> Trunk is the safe bet. >>>> >>>> Joe Schaefer, Ph.D. >>>> >>>> Orion - The Enterprise Jamstack Wiki >>>> >>>> >>>> 954.253.3732 /954.253.3732> >>>> >>>> >>>> >>>> >>>> On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya ail.com> >>>> wrote: >>>> >>>>> So is there a cleaner/saner version of libapreq2 or is the 2012 >>>>> version better ? >>>>> >>>>> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer om> >>>>> wrote: >>>>> >>>>>> For the past 25 years, I have been the lead developer of the >>>>>> libapreq2 subproject within the Apache HTTPd Server Parent Project. = The >>>>>> original idea of libapreq as a safe/performant HTML form and Cookie = parsing >>>>>> library came out of a collaboration between Lincoln Stein and Doug >>>>>> MacEachern in the late 90s. >>>>>> >>>>>> It was my vision back then to transform the library into a generic, >>>>>> non-Perl related C library that would support language bindings from= other >>>>>> programming languages, which is why I pushed for the project to be h= omes >>>>>> under the HTTPd umbrella instead of the Apache-Perl project. >>>>>> >>>>>> While this vision was wildly successful, with language bindings >>>>>> available for several languages like Perl, TCL, R, etc, ever since a= bout >>>>>> 2010 its proven tragic for the existing user community consisting of= all of >>>>>> them, not just Perl. >>>>>> >>>>>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at >>>>>> the time, started agitating that we promote the project to be releas= ed from >>>>>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very= well back then >>>>>> was how utterly vapid and territorial that team had become, which wo= uld >>>>>> have meant having to collaborate with them directly on user-facing >>>>>> decisions about the code base. >>>>>> >>>>>> In 2012, Philip got what he wanted and I stopped resisting, so he >>>>>> forked the existing project and copied the C library components into= HTTPd >>>>>> core. >>>>>> >>>>>> In 2016 I resigned from the Foundation en masse. You can guess the >>>>>> reasons. >>>>>> >>>>>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an a= lpha >>>>>> release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It fou= nd a >>>>>> few hotspots that needed repair. >>>>>> >>>>>> Instead of having the courtesy of reaching out to me, or anyone else >>>>>> involved in development of apreq, a junior engineer on the HTTPd tea= m went >>>>>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabiliti= es Google found. You >>>>>> can see a record of his trial and error work in every release since = then. >>>>>> >>>>>> But the coup de grace was the 2022 release of 2.17, wherein the >>>>>> rookie developer purposely introduced a fatal bug into the codebase, >>>>>> breaking a fifteen year old regression test. >>>>>> >>>>>> If you are wondering how something with a broken regression test >>>>>> winds up on CPAN, you=E2=80=99ll have to look into how RELENG is don= e in the server >>>>>> project. >>>>>> >>>>>> Long story short, they commented out the test and shipped it anyway, >>>>>> and called it a Security Release that fixed a vulnerability every pr= ior >>>>>> release was susceptible to. >>>>>> >>>>>> Why do I care now? Because I=E2=80=99m the sucker users reach out to= for >>>>>> answers as a known subject matter expert. >>>>>> >>>>>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing t= he >>>>>> Superman cape at Apache ended 8 years ago. >>>>>> >>>>>> -- >>>>>> Joe Schaefer, Ph.D. >>>>>> >>>>>> Orion - The Enterprise Jamstack Wiki >>>>>> >>>>>> >>>>>> 954.253.3732 /954.253.3732> >>>>>> >>>>>> >>>>>>
--000000000000f82f850611aedbe8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Would you trust any of them at this point? =3D"auto">
I have a copy of svn trunk.=C2=A0 I w= ill never use anything they release, no matter what they call it. =3D"all"> l_signature" data-smartmail=3D"gmail_signature"> <= /div>
tr" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 4:41=E2=80=AFPM Mithun Bha= ttacharya < mithnb-at-gmail.com> = wrote: x;border-left:1px #ccc solid;padding-left:1ex">So it= will be moved to retired I assume or are they going to break their own rul= es and purge it altogether? class=3D"gmail_quote"> class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli= d;padding-left:1ex">2.18 will never be released. They are= shutting down the project. r=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_signature"> dir=3D"ltr">Joe Schaefer, Ph.D.
mail_quote"> On Sun, Feb 18, 2024 at 4= :32=E2=80=AFPM Mithun Bhattacharya < rel=3D"noreferrer" target=3D"_blank">mithnb-at-gmail.com> wrote: iv> :1px #ccc solid;padding-left:1ex">Could you clarify = this - 2.17 has a critical bug and 2.18 is about to come out which doesn= 9;t have a good enough patch so how would trunk be any better? r=3D"auto">
Also how is this passing make test o= r were the test cases modified to make the bug pass ? =3D"auto"> > lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;= padding-left:1ex">Trunk is the safe bet. > rtmail=3D"gmail_signature">
ail_quote"> order-left:1px #ccc solid;padding-left:1ex">So is there a= cleaner/saner version of libapreq2 or is the 2012 version better ? r>n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">= ;font-size:13.3333px;background-color:rgb(246,246,239)">For the past 25 yea= rs, I have been the lead developer of the libapreq2 subproject within the A= pache HTTPd Server Parent Project. The original idea of libapreq as a safe/= performant HTML form and Cookie parsing library came out of a collaboration= between Lincoln Stein and Doug MacEachern in the late 90s.=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:= 13.3333px;background-color:rgb(246,246,239)">It was my vision back then to = transform the library into a generic, non-Perl related C library that would= support language bindings from other programming languages, which is why I= pushed for the project to be homes under the HTTPd umbrella instead of the= Apache-Perl project. dana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239= )">While this vision was wildly successful, with language bindings availabl= e for several languages like Perl, TCL, R, etc, ever since about 2010 its p= roven tragic for the existing user community consisting of all of them, not= just Perl. a,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">What ha= ppened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the time, start= ed agitating that we promote the project to be released from inside the HTT= Pd server itself. What Philip didn=E2=80=99t know very well back then was h= ow utterly vapid and territorial that team had become, which would have mea= nt having to collaborate with them directly on user-facing decisions about = the code base. neva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 2= 012, Philip got what he wanted and I stopped resisting, so he forked the ex= isting project and copied the C library components into HTTPd core. tyle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-s= ize:13.3333px;background-color:rgb(246,246,239)">In 2016 I resigned from th= e Foundation en masse. You can guess the reasons. 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=99s Security Tea= m took advantage of an alpha release of httpd 2.5 by fuzzing its 8 year old= copy of apreq. It found a few hotspots that needed repair. color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3= 333px;background-color:rgb(246,246,239)">Instead of having the courtesy of = reaching out to me, or anyone else involved in development of apreq, a juni= or engineer on the HTTPd team went about the business of =E2=80=9Cbug fixin= g=E2=80=9D the vulnerabilities Google found. You can see a record of his tr= ial and error work in every release since then. 0,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgr= ound-color:rgb(246,246,239)">But the coup de grace was the 2022 release of = 2.17, wherein the rookie developer purposely introduced a fatal bug into th= e codebase, breaking a fifteen year old regression test. or:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333= px;background-color:rgb(246,246,239)">If you are wondering how something wi= th a broken regression test winds up on CPAN, you=E2=80=99ll have to look i= nto how RELENG is done in the server project. 130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">Long story short, they commented out the test an= d shipped it anyway, and called it a Security Release that fixed a vulnerab= ility every prior release was susceptible to. 130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">Why do I care now? Because I=E2=80=99m the sucke= r users reach out to for answers as a known subject matter expert. yle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-si= ze:13.3333px;background-color:rgb(246,246,239)">This sucks, but I=E2=80=99m= sorry to tell you that my days wearing the Superman cape at Apache ended 8= years ago.
-- pan>
--000000000000f82f850611aedbe8--
--===============0066463209== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
_______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout
--===============0066463209==--
--===============0066463209== Content-Type: multipart/alternative; boundary="000000000000f82f850611aedbe8"
--000000000000f82f850611aedbe8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Would you trust any of them at this point?
I have a copy of svn trunk. I will never use anything they release, no matter what they call it.
Joe Schaefer, Ph.D.
Orion - The Enterprise Jamstack Wiki >
954.253.3732 /954.253.3732>
On Sun, Feb 18, 2024 at 4:41=E2=80=AFPM Mithun Bhattacharya om> wrote:
> So it will be moved to retired I assume or are they going to break their > own rules and purge it altogether? > > > On Sun, Feb 18, 2024, 3:33=E2=80=AFPM Joe Schaefer w= rote: > >> 2.18 will never be released. They are shutting down the project. >> >> Joe Schaefer, Ph.D. >> >> Orion - The Enterprise Jamstack Wiki >> >> >> 954.253.3732 /954.253.3732> >> >> >> >> >> On Sun, Feb 18, 2024 at 4:32=E2=80=AFPM Mithun Bhattacharya l.com> >> wrote: >> >>> Could you clarify this - 2.17 has a critical bug and 2.18 is about to >>> come out which doesn't have a good enough patch so how would trunk be a= ny >>> better? >>> >>> Also how is this passing make test or were the test cases modified to >>> make the bug pass ? >>> >>> >>> On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer = wrote: >>> >>>> Trunk is the safe bet. >>>> >>>> Joe Schaefer, Ph.D. >>>> >>>> Orion - The Enterprise Jamstack Wiki >>>> >>>> >>>> 954.253.3732 /954.253.3732> >>>> >>>> >>>> >>>> >>>> On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya ail.com> >>>> wrote: >>>> >>>>> So is there a cleaner/saner version of libapreq2 or is the 2012 >>>>> version better ? >>>>> >>>>> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer om> >>>>> wrote: >>>>> >>>>>> For the past 25 years, I have been the lead developer of the >>>>>> libapreq2 subproject within the Apache HTTPd Server Parent Project. = The >>>>>> original idea of libapreq as a safe/performant HTML form and Cookie = parsing >>>>>> library came out of a collaboration between Lincoln Stein and Doug >>>>>> MacEachern in the late 90s. >>>>>> >>>>>> It was my vision back then to transform the library into a generic, >>>>>> non-Perl related C library that would support language bindings from= other >>>>>> programming languages, which is why I pushed for the project to be h= omes >>>>>> under the HTTPd umbrella instead of the Apache-Perl project. >>>>>> >>>>>> While this vision was wildly successful, with language bindings >>>>>> available for several languages like Perl, TCL, R, etc, ever since a= bout >>>>>> 2010 its proven tragic for the existing user community consisting of= all of >>>>>> them, not just Perl. >>>>>> >>>>>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at >>>>>> the time, started agitating that we promote the project to be releas= ed from >>>>>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very= well back then >>>>>> was how utterly vapid and territorial that team had become, which wo= uld >>>>>> have meant having to collaborate with them directly on user-facing >>>>>> decisions about the code base. >>>>>> >>>>>> In 2012, Philip got what he wanted and I stopped resisting, so he >>>>>> forked the existing project and copied the C library components into= HTTPd >>>>>> core. >>>>>> >>>>>> In 2016 I resigned from the Foundation en masse. You can guess the >>>>>> reasons. >>>>>> >>>>>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an a= lpha >>>>>> release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It fou= nd a >>>>>> few hotspots that needed repair. >>>>>> >>>>>> Instead of having the courtesy of reaching out to me, or anyone else >>>>>> involved in development of apreq, a junior engineer on the HTTPd tea= m went >>>>>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabiliti= es Google found. You >>>>>> can see a record of his trial and error work in every release since = then. >>>>>> >>>>>> But the coup de grace was the 2022 release of 2.17, wherein the >>>>>> rookie developer purposely introduced a fatal bug into the codebase, >>>>>> breaking a fifteen year old regression test. >>>>>> >>>>>> If you are wondering how something with a broken regression test >>>>>> winds up on CPAN, you=E2=80=99ll have to look into how RELENG is don= e in the server >>>>>> project. >>>>>> >>>>>> Long story short, they commented out the test and shipped it anyway, >>>>>> and called it a Security Release that fixed a vulnerability every pr= ior >>>>>> release was susceptible to. >>>>>> >>>>>> Why do I care now? Because I=E2=80=99m the sucker users reach out to= for >>>>>> answers as a known subject matter expert. >>>>>> >>>>>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing t= he >>>>>> Superman cape at Apache ended 8 years ago. >>>>>> >>>>>> -- >>>>>> Joe Schaefer, Ph.D. >>>>>> >>>>>> Orion - The Enterprise Jamstack Wiki >>>>>> >>>>>> >>>>>> 954.253.3732 /954.253.3732> >>>>>> >>>>>> >>>>>>
--000000000000f82f850611aedbe8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Would you trust any of them at this point? =3D"auto">
I have a copy of svn trunk.=C2=A0 I w= ill never use anything they release, no matter what they call it. =3D"all"> l_signature" data-smartmail=3D"gmail_signature"> <= /div>
tr" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 4:41=E2=80=AFPM Mithun Bha= ttacharya < mithnb-at-gmail.com> = wrote: x;border-left:1px #ccc solid;padding-left:1ex">So it= will be moved to retired I assume or are they going to break their own rul= es and purge it altogether? class=3D"gmail_quote"> class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli= d;padding-left:1ex">2.18 will never be released. They are= shutting down the project. r=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_signature"> dir=3D"ltr">Joe Schaefer, Ph.D.
mail_quote"> On Sun, Feb 18, 2024 at 4= :32=E2=80=AFPM Mithun Bhattacharya < rel=3D"noreferrer" target=3D"_blank">mithnb-at-gmail.com> wrote: iv> :1px #ccc solid;padding-left:1ex">Could you clarify = this - 2.17 has a critical bug and 2.18 is about to come out which doesn= 9;t have a good enough patch so how would trunk be any better? r=3D"auto">
Also how is this passing make test o= r were the test cases modified to make the bug pass ? =3D"auto"> > lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;= padding-left:1ex">Trunk is the safe bet. > rtmail=3D"gmail_signature">
ail_quote"> order-left:1px #ccc solid;padding-left:1ex">So is there a= cleaner/saner version of libapreq2 or is the 2012 version better ? r>n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">= ;font-size:13.3333px;background-color:rgb(246,246,239)">For the past 25 yea= rs, I have been the lead developer of the libapreq2 subproject within the A= pache HTTPd Server Parent Project. The original idea of libapreq as a safe/= performant HTML form and Cookie parsing library came out of a collaboration= between Lincoln Stein and Doug MacEachern in the late 90s.=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:= 13.3333px;background-color:rgb(246,246,239)">It was my vision back then to = transform the library into a generic, non-Perl related C library that would= support language bindings from other programming languages, which is why I= pushed for the project to be homes under the HTTPd umbrella instead of the= Apache-Perl project. dana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239= )">While this vision was wildly successful, with language bindings availabl= e for several languages like Perl, TCL, R, etc, ever since about 2010 its p= roven tragic for the existing user community consisting of all of them, not= just Perl. a,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">What ha= ppened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the time, start= ed agitating that we promote the project to be released from inside the HTT= Pd server itself. What Philip didn=E2=80=99t know very well back then was h= ow utterly vapid and territorial that team had become, which would have mea= nt having to collaborate with them directly on user-facing decisions about = the code base. neva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 2= 012, Philip got what he wanted and I stopped resisting, so he forked the ex= isting project and copied the C library components into HTTPd core. tyle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-s= ize:13.3333px;background-color:rgb(246,246,239)">In 2016 I resigned from th= e Foundation en masse. You can guess the reasons. 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=99s Security Tea= m took advantage of an alpha release of httpd 2.5 by fuzzing its 8 year old= copy of apreq. It found a few hotspots that needed repair. color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3= 333px;background-color:rgb(246,246,239)">Instead of having the courtesy of = reaching out to me, or anyone else involved in development of apreq, a juni= or engineer on the HTTPd team went about the business of =E2=80=9Cbug fixin= g=E2=80=9D the vulnerabilities Google found. You can see a record of his tr= ial and error work in every release since then. 0,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgr= ound-color:rgb(246,246,239)">But the coup de grace was the 2022 release of = 2.17, wherein the rookie developer purposely introduced a fatal bug into th= e codebase, breaking a fifteen year old regression test. or:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333= px;background-color:rgb(246,246,239)">If you are wondering how something wi= th a broken regression test winds up on CPAN, you=E2=80=99ll have to look i= nto how RELENG is done in the server project. 130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">Long story short, they commented out the test an= d shipped it anyway, and called it a Security Release that fixed a vulnerab= ility every prior release was susceptible to. 130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">Why do I care now? Because I=E2=80=99m the sucke= r users reach out to for answers as a known subject matter expert. yle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-si= ze:13.3333px;background-color:rgb(246,246,239)">This sucks, but I=E2=80=99m= sorry to tell you that my days wearing the Superman cape at Apache ended 8= years ago.
-- pan>
--000000000000f82f850611aedbe8--
--===============0066463209== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
_______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout
--===============0066463209==--
|
|