Thu Nov 21 23:13:30 2024
EVENTS
 FREE
SOFTWARE
INSTITUTE

POLITICS
JOBS
MEMBERS'
CORNER

MAILING
LIST

NYLXS Mailing Lists and Archives
NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2024-02-01

HANGOUT

2024-11-21 | 2024-10-21 | 2024-09-21 | 2024-08-21 | 2024-07-21 | 2024-06-21 | 2024-05-21 | 2024-04-21 | 2024-03-21 | 2024-02-21 | 2024-01-21 | 2023-12-21 | 2023-11-21 | 2023-10-21 | 2023-09-21 | 2023-08-21 | 2023-07-21 | 2023-06-21 | 2023-05-21 | 2023-04-21 | 2023-03-21 | 2023-02-21 | 2023-01-21 | 2022-12-21 | 2022-11-21 | 2022-10-21 | 2022-09-21 | 2022-08-21 | 2022-07-21 | 2022-06-21 | 2022-05-21 | 2022-04-21 | 2022-03-21 | 2022-02-21 | 2022-01-21 | 2021-12-21 | 2021-11-21 | 2021-10-21 | 2021-09-21 | 2021-08-21 | 2021-07-21 | 2021-06-21 | 2021-05-21 | 2021-04-21 | 2021-03-21 | 2021-02-21 | 2021-01-21 | 2020-12-21 | 2020-11-21 | 2020-10-21 | 2020-09-21 | 2020-08-21 | 2020-07-21 | 2020-06-21 | 2020-05-21 | 2020-04-21 | 2020-03-21 | 2020-02-21 | 2020-01-21 | 2019-12-21 | 2019-11-21 | 2019-10-21 | 2019-09-21 | 2019-08-21 | 2019-07-21 | 2019-06-21 | 2019-05-21 | 2019-04-21 | 2019-03-21 | 2019-02-21 | 2019-01-21 | 2018-12-21 | 2018-11-21 | 2018-10-21 | 2018-09-21 | 2018-08-21 | 2018-07-21 | 2018-06-21 | 2018-05-21 | 2018-04-21 | 2018-03-21 | 2018-02-21 | 2018-01-21 | 2017-12-21 | 2017-11-21 | 2017-10-21 | 2017-09-21 | 2017-08-21 | 2017-07-21 | 2017-06-21 | 2017-05-21 | 2017-04-21 | 2017-03-21 | 2017-02-21 | 2017-01-21 | 2016-12-21 | 2016-11-21 | 2016-10-21 | 2016-09-21 | 2016-08-21 | 2016-07-21 | 2016-06-21 | 2016-05-21 | 2016-04-21 | 2016-03-21 | 2016-02-21 | 2016-01-21 | 2015-12-21 | 2015-11-21 | 2015-10-21 | 2015-09-21 | 2015-08-21 | 2015-07-21 | 2015-06-21 | 2015-05-21 | 2015-04-21 | 2015-03-21 | 2015-02-21 | 2015-01-21 | 2014-12-21 | 2014-11-21 | 2014-10-21 | 2014-09-21 | 2014-08-21 | 2014-07-21 | 2014-06-21 | 2014-05-21 | 2014-04-21 | 2014-03-21 | 2014-02-21 | 2014-01-21 | 2013-12-21 | 2013-11-21 | 2013-10-21 | 2013-09-21 | 2013-08-21 | 2013-07-21 | 2013-06-21 | 2013-05-21 | 2013-04-21 | 2013-03-21 | 2013-02-21 | 2013-01-21 | 2012-12-21 | 2012-11-21 | 2012-10-21 | 2012-09-21 | 2012-08-21 | 2012-07-21 | 2012-06-21 | 2012-05-21 | 2012-04-21 | 2012-03-21 | 2012-02-21 | 2012-01-21 | 2011-12-21 | 2011-11-21 | 2011-10-21 | 2011-09-21 | 2011-08-21 | 2011-07-21 | 2011-06-21 | 2011-05-21 | 2011-04-21 | 2011-03-21 | 2011-02-21 | 2011-01-21 | 2010-12-21 | 2010-11-21 | 2010-10-21 | 2010-09-21 | 2010-08-21 | 2010-07-21 | 2010-06-21 | 2010-05-21 | 2010-04-21 | 2010-03-21 | 2010-02-21 | 2010-01-21 | 2009-12-21 | 2009-11-21 | 2009-10-21 | 2009-09-21 | 2009-08-21 | 2009-07-21 | 2009-06-21 | 2009-05-21 | 2009-04-21 | 2009-03-21 | 2009-02-21 | 2009-01-21 | 2008-12-21 | 2008-11-21 | 2008-10-21 | 2008-09-21 | 2008-08-21 | 2008-07-21 | 2008-06-21 | 2008-05-21 | 2008-04-21 | 2008-03-21 | 2008-02-21 | 2008-01-21 | 2007-12-21 | 2007-11-21 | 2007-10-21 | 2007-09-21 | 2007-08-21 | 2007-07-21 | 2007-06-21 | 2007-05-21 | 2007-04-21 | 2007-03-21 | 2007-02-21 | 2007-01-21 | 2006-12-21 | 2006-11-21 | 2006-10-21 | 2006-09-21 | 2006-08-21 | 2006-07-21 | 2006-06-21 | 2006-05-21 | 2006-04-21 | 2006-03-21 | 2006-02-21 | 2006-01-21 | 2005-12-21 | 2005-11-21 | 2005-10-21 | 2005-09-21 | 2005-08-21 | 2005-07-21 | 2005-06-21 | 2005-05-21 | 2005-04-21 | 2005-03-21 | 2005-02-21 | 2005-01-21 | 2004-12-21 | 2004-11-21 | 2004-10-21 | 2004-09-21 | 2004-08-21 | 2004-07-21 | 2004-06-21 | 2004-05-21 | 2004-04-21 | 2004-03-21 | 2004-02-21 | 2004-01-21 | 2003-12-21 | 2003-11-21 | 2003-10-21 | 2003-09-21 | 2003-08-21 | 2003-07-21 | 2003-06-21 | 2003-05-21 | 2003-04-21 | 2003-03-21 | 2003-02-21 | 2003-01-21 | 2002-12-21 | 2002-11-21 | 2002-10-21 | 2002-09-21 | 2002-08-21 | 2002-07-21 | 2002-06-21 | 2002-05-21 | 2002-04-21 | 2002-03-21 | 2002-02-21 | 2002-01-21 | 2001-12-21 | 2001-11-21 | 2001-10-21 | 2001-09-21 | 2001-08-21 | 2001-07-21 | 2001-06-21 | 2001-05-21 | 2001-04-21 | 2001-03-21 | 2001-02-21 | 2001-01-21 | 2000-12-21 | 2000-11-21 | 2000-10-21 | 2000-09-21 | 2000-08-21 | 2000-07-21 | 2000-06-21 | 2000-05-21 | 2000-04-21 | 2000-03-21 | 2000-02-21 | 2000-01-21 | 1999-12-21

Key: Value:

Key: Value:

MESSAGE
DATE 2024-02-18
FROM Mithun Bhattacharya
SUBJECT Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
From hangout-bounces-at-nylxs.com Sun Feb 18 23:47:01 2024
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82])
by mrbrklyn.com (Postfix) with ESMTP id 9FBCB1640BD;
Sun, 18 Feb 2024 23:46:59 -0500 (EST)
X-Original-To: hangout-at-www2.mrbrklyn.com
Delivered-To: hangout-at-www2.mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 1000)
id B8E091640B5; Sun, 18 Feb 2024 23:45:58 -0500 (EST)
Resent-From: Ruben Safir
Resent-Date: Sun, 18 Feb 2024 23:45:58 -0500
Resent-Message-ID: <20240219044558.GG20445-at-www2.mrbrklyn.com>
Resent-To: hangout-at-mrbrklyn.com
X-Original-To: ruben-at-mrbrklyn.com
Delivered-To: ruben-at-mrbrklyn.com
Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org
[3.227.148.255])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "*.apache.org",
Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified))
by mrbrklyn.com (Postfix) with ESMTPS id 78ECA1640A3
for ; Sun, 18 Feb 2024 14:12:05 -0500 (EST)
Received: from mail.apache.org (mailgw-he-de.apache.org [116.203.246.181])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(No client certificate requested)
by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with
ESMTPS id D91704561D
for ; Sun, 18 Feb 2024 19:12:04 +0000 (UTC)
Received: (qmail 1291238 invoked by uid 998); 18 Feb 2024 19:11:59 -0000
Mailing-List: contact modperl-help-at-perl.apache.org; run by ezmlm
Precedence: bulk
Delivered-To: mailing list modperl-at-perl.apache.org
Received: (qmail 1291225 invoked by uid 116); 18 Feb 2024 19:11:58 -0000
Received: from spamproc1-he-de.apache.org (HELO spamproc1-he-de.apache.org)
(116.203.196.100)
by apache.org (qpsmtpd/0.94) with ESMTP; Sun, 18 Feb 2024 19:11:58 +0000
Authentication-Results: apache.org; auth=none
Received: from localhost (localhost [127.0.0.1])
by spamproc1-he-de.apache.org (ASF Mail Server at spamproc1-he-de.apache.org)
with ESMTP id C0B351FFCB2
for ; Sun, 18 Feb 2024 19:11:58 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamproc1-he-de.apache.org
X-Spam-Flag: NO
X-Spam-Score: -5
X-Spam-Level:
X-Spam-Status: No, score=-5 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_HI=-5,
SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01,
URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamproc1-he-de.apache.org (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-he-de.apache.org ([116.203.227.195])
by localhost (spamproc1-he-de.apache.org [116.203.196.100]) (amavisd-new,
port 10024) with ESMTP id 0NfJzn6PCaLd for ;
Sun, 18 Feb 2024 19:11:58 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=2607:f8b0:4864:20::931; helo=mail-ua1-x931.google.com;
envelope-from=mithnb-at-gmail.com; receiver=
Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com
[IPv6:2607:f8b0:4864:20::931])
by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS
id 079527E61A
for ; Sun, 18 Feb 2024 19:11:57 +0000 (UTC)
Received: by mail-ua1-x931.google.com with SMTP id
a1e0cc1a2514c-7d2e19120b5so1982504241.2
for ; Sun, 18 Feb 2024 11:11:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1708283516; x=1708888316; darn=perl.apache.org;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:from:to:cc:subject:date:message-id:reply-to;
bh=/5x6Un/Ux80pZFLFktkvktydoyh+869ymgIbsV/ZAtA=;
b=FKiDwhiTDPLJr0GBE933o1KsLVw7XeksIk4r5ObuEK/oVsj8Ko+/gwpez9qvISK0F3
0W16C2qbj1fJZ28uXhlz4QI0fzXrZkLu9URRFKnMmLWM1+rnRFvDrYb2KtrotbqjYMvI
+3PlR8NnTwpQ3peZmeaZr4NJGAEy6rkexCzZPcEon/zA8vcaBK7aouL/5nGX26IYbSEx
WlASw9P/2EHNxesd1UxkdaV88xiukwAmfi6okfq/dS90BWWq+na5VxP9f9Zeok6mgPUf
RcSWUUF26s6jG/AC6BbDlln+TOsSfiLXEaSPPCaYtCLuJ/MoHIs3k/fiIZrTd0h3/b+F
6wLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1708283516; x=1708888316;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=/5x6Un/Ux80pZFLFktkvktydoyh+869ymgIbsV/ZAtA=;
b=Wa+8ygkq1g9v97p5OCR6t4XfI0aak5Vp6Dz5g7gzjriwlXHpjKVyzCLNG8OecfgNUt
zITqfPwSf1NoGO/y4u1h5Ua42G5Wu0uB3s/tLkJcfBR6yq56++w2GNbR3zbSN+AjyTN0
zUVKKIsPaRCau3hjPmndgilbMCzXFS8ZRTZUOc5mHonOIN1oLGPBzaDQhp3xkazmKY8q
KazWjG0WERjFx/9xInosn8O6DE/f6Y3wwhHWYxQv5c4XjTuuXbhXkMMG55YnyNw4pxbt
/Da/Je2SYjO/H7I1lrlzWigPV/4fQzIlpzslp/zf+VtpEg4VxBT2COYgPfgxw5U1jHPJ
qsdQ==
X-Gm-Message-State: AOJu0Yxku9yveDK0hNbcatqRerIUOUlo0oYMkDK133Mn2m0eUD6uUUlm
zqixhp5fezb2fToGyrcCMRXLYCTHVnpVcUit3kOf/FUT+dyC2Atf+p9qfSrevHLGlYaEfJc5RvA
16wdlZkqcN7jRAzIwfgdiAZ4brPhszGFC
X-Google-Smtp-Source: AGHT+IEQxh48vKiq//iiBaKQ3Ih+mNOfu/WBF7TgfwyiBlQeU8LR3KIKQpIL2I27UKe3xPFcuEup+S4OvRsKHoO4ILQ=
X-Received: by 2002:a05:6102:12c7:b0:470:390d:41d8 with SMTP id
jd7-20020a05610212c700b00470390d41d8mr3913164vsb.27.1708283516479; Sun, 18
Feb 2024 11:11:56 -0800 (PST)
MIME-Version: 1.0
References:

In-Reply-To:
From: Mithun Bhattacharya
Date: Sun, 18 Feb 2024 13:11:44 -0600
Message-ID:
To: mod_perl list
Subject: Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
Apache2::Request users
X-BeenThere: hangout-at-nylxs.com
X-Mailman-Version: 2.1.30rc1
List-Id: NYLXS Tech Talk and Politics
List-Unsubscribe: ,

List-Archive:
List-Post:
List-Help:
List-Subscribe: ,

Content-Type: multipart/mixed; boundary="===============1719543133=="
Errors-To: hangout-bounces-at-nylxs.com
Sender: "Hangout"

--===============1719543133==
Content-Type: multipart/alternative; boundary="0000000000002cf3c90611acc093"

--0000000000002cf3c90611acc093
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Also thank you for the library !

On Sun, Feb 18, 2024, 1:11=E2=80=AFPM Mithun Bhattacharya > wrote:

> So is there a cleaner/saner version of libapreq2 or is the 2012 version
> better ?
>
> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer =
wrote:
>
>> For the past 25 years, I have been the lead developer of the libapreq2
>> subproject within the Apache HTTPd Server Parent Project. The original i=
dea
>> of libapreq as a safe/performant HTML form and Cookie parsing library ca=
me
>> out of a collaboration between Lincoln Stein and Doug MacEachern in the
>> late 90s.
>>
>> It was my vision back then to transform the library into a generic,
>> non-Perl related C library that would support language bindings from oth=
er
>> programming languages, which is why I pushed for the project to be homes
>> under the HTTPd umbrella instead of the Apache-Perl project.
>>
>> While this vision was wildly successful, with language bindings availabl=
e
>> for several languages like Perl, TCL, R, etc, ever since about 2010 its
>> proven tragic for the existing user community consisting of all of them,
>> not just Perl.
>>
>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the
>> time, started agitating that we promote the project to be released from
>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very wel=
l back then
>> was how utterly vapid and territorial that team had become, which would
>> have meant having to collaborate with them directly on user-facing
>> decisions about the code base.
>>
>> In 2012, Philip got what he wanted and I stopped resisting, so he forked
>> the existing project and copied the C library components into HTTPd core=
.
>>
>> In 2016 I resigned from the Foundation en masse. You can guess the
>> reasons.
>>
>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha=
release
>> of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few
>> hotspots that needed repair.
>>
>> Instead of having the courtesy of reaching out to me, or anyone else
>> involved in development of apreq, a junior engineer on the HTTPd team we=
nt
>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities G=
oogle found. You
>> can see a record of his trial and error work in every release since then=
.
>>
>> But the coup de grace was the 2022 release of 2.17, wherein the rookie
>> developer purposely introduced a fatal bug into the codebase, breaking a
>> fifteen year old regression test.
>>
>> If you are wondering how something with a broken regression test winds u=
p
>> on CPAN, you=E2=80=99ll have to look into how RELENG is done in the serv=
er project.
>>
>> Long story short, they commented out the test and shipped it anyway, and
>> called it a Security Release that fixed a vulnerability every prior rele=
ase
>> was susceptible to.
>>
>> Why do I care now? Because I=E2=80=99m the sucker users reach out to for=
answers
>> as a known subject matter expert.
>>
>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing the S=
uperman
>> cape at Apache ended 8 years ago.
>>
>> --
>> Joe Schaefer, Ph.D.
>>
>> Orion - The Enterprise Jamstack Wiki
>>
>>
>> 954.253.3732
>>
>>
>>

--0000000000002cf3c90611acc093
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Also thank you for the library !

mail_quote">
On Sun, Feb 18, 2024, 1:1=
1=E2=80=AFPM Mithun Bhattacharya <mi=
thnb-at-gmail.com
> wrote:
yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
dir=3D"auto">So is there a cleaner/saner version of libapreq2 or is the 201=
2 version better ?

ss=3D"gmail_attr">On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer <<=
a href=3D"mailto:joe-at-sunstarsys.com" target=3D"_blank" rel=3D"noreferrer">j=
oe-at-sunstarsys.com> wrote:
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">iv dir=3D"ltr">neva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">For =
the past 25 years, I have been the lead developer of the libapreq2 subproje=
ct within the Apache HTTPd Server Parent Project. The original idea of liba=
preq as a safe/performant HTML form and Cookie parsing library came out of =
a collaboration between Lincoln Stein and Doug MacEachern in the late 90s.<=
/span>

rif;font-size:13.3333px;background-color:rgb(246,246,239)">It was my vision=
back then to transform the library into a generic, non-Perl related C libr=
ary that would support language bindings from other programming languages, =
which is why I pushed for the project to be homes under the HTTPd umbrella =
instead of the Apache-Perl project.

ont-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:r=
gb(246,246,239)">While this vision was wildly successful, with language bin=
dings available for several languages like Perl, TCL, R, etc, ever since ab=
out 2010 its proven tragic for the existing user community consisting of al=
l of them, not just Perl.

:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246=
,239)">What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at t=
he time, started agitating that we promote the project to be released from =
inside the HTTPd server itself. What Philip didn=E2=80=99t know very well b=
ack then was how utterly vapid and territorial that team had become, which =
would have meant having to collaborate with them directly on user-facing de=
cisions about the code base.

ily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,=
246,239)">In 2012, Philip got what he wanted and I stopped resisting, so he=
forked the existing project and copied the C library components into HTTPd=
core.

s-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 2016 I re=
signed from the Foundation en masse. You can guess the reasons.

=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:=
13.3333px;background-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=99=
s Security Team took advantage of an alpha release of httpd 2.5 by fuzzing =
its 8 year old copy of apreq. It found a few hotspots that needed repair.p>

font-size:13.3333px;background-color:rgb(246,246,239)">Instead of having th=
e courtesy of reaching out to me, or anyone else involved in development of=
apreq, a junior engineer on the HTTPd team went about the business of =E2=
=80=9Cbug fixing=E2=80=9D the vulnerabilities Google found. You can see a r=
ecord of his trial and error work in every release since then.

=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:=
13.3333px;background-color:rgb(246,246,239)">But the coup de grace was the =
2022 release of 2.17, wherein the rookie developer purposely introduced a f=
atal bug into the codebase, breaking a fifteen year old regression test.>

ont-size:13.3333px;background-color:rgb(246,246,239)">If you are wondering =
how something with a broken regression test winds up on CPAN, you=E2=80=99l=
l have to look into how RELENG is done in the server project.

=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:=
13.3333px;background-color:rgb(246,246,239)">Long story short, they comment=
ed out the test and shipped it anyway, and called it a Security Release tha=
t fixed a vulnerability every prior release was susceptible to.

=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:=
13.3333px;background-color:rgb(246,246,239)">Why do I care now? Because I=
=E2=80=99m the sucker users reach out to for answers as a known subject mat=
ter expert.

a,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">This su=
cks, but I=E2=80=99m sorry to tell you that my days wearing the Superman ca=
pe at Apache ended 8 years ago.


ature_prefix">--



--0000000000002cf3c90611acc093--

--===============1719543133==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout

--===============1719543133==--

--===============1719543133==
Content-Type: multipart/alternative; boundary="0000000000002cf3c90611acc093"

--0000000000002cf3c90611acc093
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Also thank you for the library !

On Sun, Feb 18, 2024, 1:11=E2=80=AFPM Mithun Bhattacharya > wrote:

> So is there a cleaner/saner version of libapreq2 or is the 2012 version
> better ?
>
> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer =
wrote:
>
>> For the past 25 years, I have been the lead developer of the libapreq2
>> subproject within the Apache HTTPd Server Parent Project. The original i=
dea
>> of libapreq as a safe/performant HTML form and Cookie parsing library ca=
me
>> out of a collaboration between Lincoln Stein and Doug MacEachern in the
>> late 90s.
>>
>> It was my vision back then to transform the library into a generic,
>> non-Perl related C library that would support language bindings from oth=
er
>> programming languages, which is why I pushed for the project to be homes
>> under the HTTPd umbrella instead of the Apache-Perl project.
>>
>> While this vision was wildly successful, with language bindings availabl=
e
>> for several languages like Perl, TCL, R, etc, ever since about 2010 its
>> proven tragic for the existing user community consisting of all of them,
>> not just Perl.
>>
>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the
>> time, started agitating that we promote the project to be released from
>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very wel=
l back then
>> was how utterly vapid and territorial that team had become, which would
>> have meant having to collaborate with them directly on user-facing
>> decisions about the code base.
>>
>> In 2012, Philip got what he wanted and I stopped resisting, so he forked
>> the existing project and copied the C library components into HTTPd core=
.
>>
>> In 2016 I resigned from the Foundation en masse. You can guess the
>> reasons.
>>
>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha=
release
>> of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few
>> hotspots that needed repair.
>>
>> Instead of having the courtesy of reaching out to me, or anyone else
>> involved in development of apreq, a junior engineer on the HTTPd team we=
nt
>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities G=
oogle found. You
>> can see a record of his trial and error work in every release since then=
.
>>
>> But the coup de grace was the 2022 release of 2.17, wherein the rookie
>> developer purposely introduced a fatal bug into the codebase, breaking a
>> fifteen year old regression test.
>>
>> If you are wondering how something with a broken regression test winds u=
p
>> on CPAN, you=E2=80=99ll have to look into how RELENG is done in the serv=
er project.
>>
>> Long story short, they commented out the test and shipped it anyway, and
>> called it a Security Release that fixed a vulnerability every prior rele=
ase
>> was susceptible to.
>>
>> Why do I care now? Because I=E2=80=99m the sucker users reach out to for=
answers
>> as a known subject matter expert.
>>
>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing the S=
uperman
>> cape at Apache ended 8 years ago.
>>
>> --
>> Joe Schaefer, Ph.D.
>>
>> Orion - The Enterprise Jamstack Wiki
>>
>>
>> 954.253.3732
>>
>>
>>

--0000000000002cf3c90611acc093
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Also thank you for the library !

mail_quote">
On Sun, Feb 18, 2024, 1:1=
1=E2=80=AFPM Mithun Bhattacharya <mi=
thnb-at-gmail.com
> wrote:
yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
dir=3D"auto">So is there a cleaner/saner version of libapreq2 or is the 201=
2 version better ?

ss=3D"gmail_attr">On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer <<=
a href=3D"mailto:joe-at-sunstarsys.com" target=3D"_blank" rel=3D"noreferrer">j=
oe-at-sunstarsys.com> wrote:
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">iv dir=3D"ltr">neva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">For =
the past 25 years, I have been the lead developer of the libapreq2 subproje=
ct within the Apache HTTPd Server Parent Project. The original idea of liba=
preq as a safe/performant HTML form and Cookie parsing library came out of =
a collaboration between Lincoln Stein and Doug MacEachern in the late 90s.<=
/span>

rif;font-size:13.3333px;background-color:rgb(246,246,239)">It was my vision=
back then to transform the library into a generic, non-Perl related C libr=
ary that would support language bindings from other programming languages, =
which is why I pushed for the project to be homes under the HTTPd umbrella =
instead of the Apache-Perl project.

ont-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:r=
gb(246,246,239)">While this vision was wildly successful, with language bin=
dings available for several languages like Perl, TCL, R, etc, ever since ab=
out 2010 its proven tragic for the existing user community consisting of al=
l of them, not just Perl.

:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246=
,239)">What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at t=
he time, started agitating that we promote the project to be released from =
inside the HTTPd server itself. What Philip didn=E2=80=99t know very well b=
ack then was how utterly vapid and territorial that team had become, which =
would have meant having to collaborate with them directly on user-facing de=
cisions about the code base.

ily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,=
246,239)">In 2012, Philip got what he wanted and I stopped resisting, so he=
forked the existing project and copied the C library components into HTTPd=
core.

s-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 2016 I re=
signed from the Foundation en masse. You can guess the reasons.

=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:=
13.3333px;background-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=99=
s Security Team took advantage of an alpha release of httpd 2.5 by fuzzing =
its 8 year old copy of apreq. It found a few hotspots that needed repair.p>

font-size:13.3333px;background-color:rgb(246,246,239)">Instead of having th=
e courtesy of reaching out to me, or anyone else involved in development of=
apreq, a junior engineer on the HTTPd team went about the business of =E2=
=80=9Cbug fixing=E2=80=9D the vulnerabilities Google found. You can see a r=
ecord of his trial and error work in every release since then.

=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:=
13.3333px;background-color:rgb(246,246,239)">But the coup de grace was the =
2022 release of 2.17, wherein the rookie developer purposely introduced a f=
atal bug into the codebase, breaking a fifteen year old regression test.>

ont-size:13.3333px;background-color:rgb(246,246,239)">If you are wondering =
how something with a broken regression test winds up on CPAN, you=E2=80=99l=
l have to look into how RELENG is done in the server project.

=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:=
13.3333px;background-color:rgb(246,246,239)">Long story short, they comment=
ed out the test and shipped it anyway, and called it a Security Release tha=
t fixed a vulnerability every prior release was susceptible to.

=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:=
13.3333px;background-color:rgb(246,246,239)">Why do I care now? Because I=
=E2=80=99m the sucker users reach out to for answers as a known subject mat=
ter expert.

a,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">This su=
cks, but I=E2=80=99m sorry to tell you that my days wearing the Superman ca=
pe at Apache ended 8 years ago.


ature_prefix">--



--0000000000002cf3c90611acc093--

--===============1719543133==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout

--===============1719543133==--

  1. 2024-02-01 From: "Free Software Foundation" <info-at-fsf.org> Subject: [Hangout - NYLXS] Free Software Supporter -- Issue 190,
  2. 2024-02-01 Sandy Dave <sandy-at-esolvit.com> Subject: [Hangout - NYLXS] (#4976) Front-End Web Developer/Web Designer in
  3. 2024-02-05 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #654 - Perl and FOSDEM
  4. 2024-02-07 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Censorship has always been part of the publishing
  5. 2024-02-08 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Look below for the key paragraph here - note we
  6. 2024-02-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Indian response to Muslim Imperialism
  7. 2024-02-08 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Anything they want to do, they just do...
  8. 2024-02-09 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] odoo - if it is hallf of what they say it is
  9. 2024-02-11 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] the depths of the Nazi involvement with the UN in
  10. 2024-02-11 mayer ilovitz <pmamayeri-at-gmail.com> Re: [Hangout - NYLXS] the depths of the Nazi involvement with the
  11. 2024-02-11 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Tech and archeology
  12. 2024-02-12 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] The Hezbollah Threat - why war in the north can
  13. 2024-02-13 NYOUG <execdir-at-nyoug.org> Subject: [Hangout - NYLXS] Upcoming Events for Oracle Professionals
  14. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] It is open so it much be good. What can go wrong
  15. 2024-02-14 mayer ilovitz <pmamayeri-at-gmail.com> Subject: [Hangout - NYLXS] putting the NY CD 3 special election into
  16. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] this really just needs to be seen without my
  17. 2024-02-15 mayer ilovitz <pmamayeri-at-gmail.com> Re: [Hangout - NYLXS] this really just needs to be seen without my
  18. 2024-02-15 mayer ilovitz <pmamayeri-at-gmail.com> Subject: [Hangout - NYLXS] =?utf-8?q?washingtonpost=2Ecom_12/14/24=3A_?=
  19. 2024-02-16 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] [gcc-bugs-at-gcc.gnu.org: ` ` Piano ` `]
  20. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  21. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  22. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  23. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  24. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  25. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  26. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  27. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  28. 2024-02-15 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] static code analysis for Perl5 code?
  29. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  30. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request
  31. 2024-02-15 Joseph He <joseph.he.2008-at-gmail.com> Subject: [Hangout - NYLXS] static code analysis for Perl5 code?
  32. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  33. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  34. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  35. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  36. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  37. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Subject: [Hangout - NYLXS] Case-sensitive $r->param?
  38. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  39. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  40. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  41. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  42. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Reviving the mod_perl social network
  43. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  44. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  45. 2024-02-13 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Config Primer on mod_perl with mpm_event
  46. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  47. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  48. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  49. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  50. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  51. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  52. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  53. 2024-02-15 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] static code analysis for Perl5 code?
  54. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request
  55. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  56. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  57. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  58. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  59. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  60. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  61. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Reviving the mod_perl social network
  62. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  63. 2024-02-15 Joseph He <joseph.he.2008-at-gmail.com> Subject: [Hangout - NYLXS] static code analysis for Perl5 code?
  64. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  65. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  66. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Subject: [Hangout - NYLXS] Case-sensitive $r->param?
  67. 2024-02-13 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Config Primer on mod_perl with mpm_event
  68. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  69. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  70. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  71. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  72. 2024-02-19 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #656 - Perl Conference
  73. 2024-02-19 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #656 - Perl Conference
  74. 2024-02-19 mayer ilovitz <pmamayeri-at-gmail.com> Subject: [Hangout - NYLXS] JP 2/19/24: The Truth About the Dearborn Jihad
  75. 2024-02-19 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] kashmir
  76. 2024-02-19 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] ill let you figure this out..
  77. 2024-02-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Non-systemd Distos
  78. 2024-02-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Lets play a game - what is this crap
  79. 2024-02-20 NYOUG <execdir-at-nyoug.org> Subject: [Hangout - NYLXS] Upcoming Events for Oracle Professionals
  80. 2024-02-21 James E Keenan <jkeenan-at-pobox.com> Subject: [Hangout - NYLXS] March 11 NY Perlmongers Social Meeting - Peculier
  81. 2024-02-22 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Massive Russian Cyber Attack paralizes healthcare
  82. 2024-02-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Just can not get right and wrong straigt
  83. 2024-02-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] cudu is being "open sourced"
  84. 2024-02-23 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] rembrandts
  85. 2024-02-23 Evgeny Grin <k2k-at-narod.ru> Subject: [Hangout - NYLXS] GNU libmicrohttpd v1.0.1 released
  86. 2024-02-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] firefox security and webassembly and VMS
  87. 2024-02-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] FWIW - from my daughter..
  88. 2024-02-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Listening to it in first account is very sobbering
  89. 2024-02-27 From: "Miriam Bastian, FSF" <info-at-fsf.org> Subject: [Hangout - NYLXS] Exciting talks, hands-on workshops,
  90. 2024-02-26 Touro Graduate School of Technology <info.gst-at-touro.edu> Subject: [Hangout - NYLXS] Workshop Tonight: Ethics In AI Workshop : Feb
  91. 2024-02-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Donate $20 and put your name up
  92. 2024-02-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Fwd: Contracting News: February 2024 Vendor
  93. 2024-02-29 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Swoden and the 4th amendment and this President
  94. 2024-02-24 Walt Mankowski <waltman-at-pobox.com> Re: [Hangout - NYLXS] March 11 NY Perlmongers Social Meeting -

NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!