NYLXS - Free Software Events

Thu Nov 21 23:41:54 2024

EVENTS

FREE
SOFTWARE
INSTITUTE

POLITICS

JOBS

MEMBERS'
CORNER

MAILING
LIST

NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2024-02-01

HANGOUT

2024-11-21 | 2024-10-21 | 2024-09-21 | 2024-08-21 | 2024-07-21 | 2024-06-21 | 2024-05-21 | 2024-04-21 | 2024-03-21 | 2024-02-21 | 2024-01-21 | 2023-12-21 | 2023-11-21 | 2023-10-21 | 2023-09-21 | 2023-08-21 | 2023-07-21 | 2023-06-21 | 2023-05-21 | 2023-04-21 | 2023-03-21 | 2023-02-21 | 2023-01-21 | 2022-12-21 | 2022-11-21 | 2022-10-21 | 2022-09-21 | 2022-08-21 | 2022-07-21 | 2022-06-21 | 2022-05-21 | 2022-04-21 | 2022-03-21 | 2022-02-21 | 2022-01-21 | 2021-12-21 | 2021-11-21 | 2021-10-21 | 2021-09-21 | 2021-08-21 | 2021-07-21 | 2021-06-21 | 2021-05-21 | 2021-04-21 | 2021-03-21 | 2021-02-21 | 2021-01-21 | 2020-12-21 | 2020-11-21 | 2020-10-21 | 2020-09-21 | 2020-08-21 | 2020-07-21 | 2020-06-21 | 2020-05-21 | 2020-04-21 | 2020-03-21 | 2020-02-21 | 2020-01-21 | 2019-12-21 | 2019-11-21 | 2019-10-21 | 2019-09-21 | 2019-08-21 | 2019-07-21 | 2019-06-21 | 2019-05-21 | 2019-04-21 | 2019-03-21 | 2019-02-21 | 2019-01-21 | 2018-12-21 | 2018-11-21 | 2018-10-21 | 2018-09-21 | 2018-08-21 | 2018-07-21 | 2018-06-21 | 2018-05-21 | 2018-04-21 | 2018-03-21 | 2018-02-21 | 2018-01-21 | 2017-12-21 | 2017-11-21 | 2017-10-21 | 2017-09-21 | 2017-08-21 | 2017-07-21 | 2017-06-21 | 2017-05-21 | 2017-04-21 | 2017-03-21 | 2017-02-21 | 2017-01-21 | 2016-12-21 | 2016-11-21 | 2016-10-21 | 2016-09-21 | 2016-08-21 | 2016-07-21 | 2016-06-21 | 2016-05-21 | 2016-04-21 | 2016-03-21 | 2016-02-21 | 2016-01-21 | 2015-12-21 | 2015-11-21 | 2015-10-21 | 2015-09-21 | 2015-08-21 | 2015-07-21 | 2015-06-21 | 2015-05-21 | 2015-04-21 | 2015-03-21 | 2015-02-21 | 2015-01-21 | 2014-12-21 | 2014-11-21 | 2014-10-21 | 2014-09-21 | 2014-08-21 | 2014-07-21 | 2014-06-21 | 2014-05-21 | 2014-04-21 | 2014-03-21 | 2014-02-21 | 2014-01-21 | 2013-12-21 | 2013-11-21 | 2013-10-21 | 2013-09-21 | 2013-08-21 | 2013-07-21 | 2013-06-21 | 2013-05-21 | 2013-04-21 | 2013-03-21 | 2013-02-21 | 2013-01-21 | 2012-12-21 | 2012-11-21 | 2012-10-21 | 2012-09-21 | 2012-08-21 | 2012-07-21 | 2012-06-21 | 2012-05-21 | 2012-04-21 | 2012-03-21 | 2012-02-21 | 2012-01-21 | 2011-12-21 | 2011-11-21 | 2011-10-21 | 2011-09-21 | 2011-08-21 | 2011-07-21 | 2011-06-21 | 2011-05-21 | 2011-04-21 | 2011-03-21 | 2011-02-21 | 2011-01-21 | 2010-12-21 | 2010-11-21 | 2010-10-21 | 2010-09-21 | 2010-08-21 | 2010-07-21 | 2010-06-21 | 2010-05-21 | 2010-04-21 | 2010-03-21 | 2010-02-21 | 2010-01-21 | 2009-12-21 | 2009-11-21 | 2009-10-21 | 2009-09-21 | 2009-08-21 | 2009-07-21 | 2009-06-21 | 2009-05-21 | 2009-04-21 | 2009-03-21 | 2009-02-21 | 2009-01-21 | 2008-12-21 | 2008-11-21 | 2008-10-21 | 2008-09-21 | 2008-08-21 | 2008-07-21 | 2008-06-21 | 2008-05-21 | 2008-04-21 | 2008-03-21 | 2008-02-21 | 2008-01-21 | 2007-12-21 | 2007-11-21 | 2007-10-21 | 2007-09-21 | 2007-08-21 | 2007-07-21 | 2007-06-21 | 2007-05-21 | 2007-04-21 | 2007-03-21 | 2007-02-21 | 2007-01-21 | 2006-12-21 | 2006-11-21 | 2006-10-21 | 2006-09-21 | 2006-08-21 | 2006-07-21 | 2006-06-21 | 2006-05-21 | 2006-04-21 | 2006-03-21 | 2006-02-21 | 2006-01-21 | 2005-12-21 | 2005-11-21 | 2005-10-21 | 2005-09-21 | 2005-08-21 | 2005-07-21 | 2005-06-21 | 2005-05-21 | 2005-04-21 | 2005-03-21 | 2005-02-21 | 2005-01-21 | 2004-12-21 | 2004-11-21 | 2004-10-21 | 2004-09-21 | 2004-08-21 | 2004-07-21 | 2004-06-21 | 2004-05-21 | 2004-04-21 | 2004-03-21 | 2004-02-21 | 2004-01-21 | 2003-12-21 | 2003-11-21 | 2003-10-21 | 2003-09-21 | 2003-08-21 | 2003-07-21 | 2003-06-21 | 2003-05-21 | 2003-04-21 | 2003-03-21 | 2003-02-21 | 2003-01-21 | 2002-12-21 | 2002-11-21 | 2002-10-21 | 2002-09-21 | 2002-08-21 | 2002-07-21 | 2002-06-21 | 2002-05-21 | 2002-04-21 | 2002-03-21 | 2002-02-21 | 2002-01-21 | 2001-12-21 | 2001-11-21 | 2001-10-21 | 2001-09-21 | 2001-08-21 | 2001-07-21 | 2001-06-21 | 2001-05-21 | 2001-04-21 | 2001-03-21 | 2001-02-21 | 2001-01-21 | 2000-12-21 | 2000-11-21 | 2000-10-21 | 2000-09-21 | 2000-08-21 | 2000-07-21 | 2000-06-21 | 2000-05-21 | 2000-04-21 | 2000-03-21 | 2000-02-21 | 2000-01-21 | 1999-12-21

Key: Value:

MESSAGE

DATE	2024-02-18
FROM	Mithun Bhattacharya
SUBJECT	Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
From hangout-bounces-at-nylxs.com Sun Feb 18 23:51:53 2024 Return-Path: X-Original-To: archive-at-mrbrklyn.com Delivered-To: archive-at-mrbrklyn.com Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82]) by mrbrklyn.com (Postfix) with ESMTP id F03071640F2; Sun, 18 Feb 2024 23:51:52 -0500 (EST) X-Original-To: hangout-at-www2.mrbrklyn.com Delivered-To: hangout-at-www2.mrbrklyn.com Received: by mrbrklyn.com (Postfix, from userid 1000) id D7E651640E6; Sun, 18 Feb 2024 23:46:36 -0500 (EST) Resent-From: Ruben Safir Resent-Date: Sun, 18 Feb 2024 23:46:36 -0500 Resent-Message-ID: <20240219044636.GQ20445-at-www2.mrbrklyn.com> Resent-To: hangout-at-mrbrklyn.com X-Original-To: ruben-at-mrbrklyn.com Delivered-To: ruben-at-mrbrklyn.com Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.apache.org", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mrbrklyn.com (Postfix) with ESMTPS id A8A711640A3 for ; Sun, 18 Feb 2024 16:31:39 -0500 (EST) Received: from mail.apache.org (mailgw-he-de.apache.org [116.203.246.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with ESMTPS id 643284546A for ; Sun, 18 Feb 2024 21:31:28 +0000 (UTC) Received: (qmail 1434700 invoked by uid 998); 18 Feb 2024 21:31:23 -0000 Mailing-List: contact modperl-help-at-perl.apache.org; run by ezmlm Precedence: bulk Delivered-To: mailing list modperl-at-perl.apache.org Received: (qmail 1434686 invoked by uid 116); 18 Feb 2024 21:31:22 -0000 Received: from spamproc1-he-de.apache.org (HELO spamproc1-he-de.apache.org) (116.203.196.100) by apache.org (qpsmtpd/0.94) with ESMTP; Sun, 18 Feb 2024 21:31:22 +0000 Authentication-Results: apache.org; auth=none Received: from localhost (localhost [127.0.0.1]) by spamproc1-he-de.apache.org (ASF Mail Server at spamproc1-he-de.apache.org) with ESMTP id 386281FFC8E for ; Sun, 18 Feb 2024 21:31:22 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamproc1-he-de.apache.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamproc1-he-de.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-ec2-va.apache.org ([116.203.227.195]) by localhost (spamproc1-he-de.apache.org [116.203.196.100]) (amavisd-new, port 10024) with ESMTP id szAdSrvh8Jpt for ; Sun, 18 Feb 2024 21:31:21 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.219.176; helo=mail-yb1-f176.google.com; envelope-from=mithnb-at-gmail.com; receiver= Received: from mail-yb1-f176.google.com (mail-yb1-f176.google.com [209.85.219.176]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id 10218C02CE for ; Sun, 18 Feb 2024 21:31:21 +0000 (UTC) Received: by mail-yb1-f176.google.com with SMTP id 3f1490d57ef6-dc236729a2bso3516778276.0 for ; Sun, 18 Feb 2024 13:31:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708291874; x=1708896674; darn=perl.apache.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=idh2M4gJebvLIzC/ikDMF8++3hvOdprtnzqEC+uNrQg=; b=HLJhNvYDQCLiEzHszGRCMIoZDUOnf0e8sOzp0cOQIJ/9cpWhPg7xTM5hpYRC5PKlHs jRVST1yQGY6R2TDn/srKxebcTKa3RJnEYKh3XAs5IG1Zv/sbWoDOWPU7/deO5SpQ5glu MBa5yfemIy/HgJV1443ufD6kEgy8NsaPB2Ap1bT0WN4PSf7FfIH30UEBGtDBQbpl2SbF XO68U0Ukt9pwpkucfQ/Ev1HLaykdkIg/mh0NbYWEQcNUXbRRAsfLHcGAQ2esJIjQkBn+ i0A/w0O+Q2nBwLk2e6s3bbD85MPiRINzGY9+LWEPnuTJEj+MomBE11eNV6Ox3jhRrSrh Hf0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708291874; x=1708896674; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=idh2M4gJebvLIzC/ikDMF8++3hvOdprtnzqEC+uNrQg=; b=Y7AYu0SC9Q3b1tKKSDV8xJYtkfRD7BnVXFYWJRjr0oa2ylmKiwzb6a0yLdd8P/0UyH eReZ8xCQgtSsnqjeDaqAhr+LeXD8ksaRY86xcCHAz12O0BOFEdlE2vXKxBzEmoLFoa3k PsfDtNY9vfYFvkFnB7IX1CkIcYcKafqmfM0+b+4ihRcWkV+5h9gk+x6CtxxDddI4R/HH Fz66XCWRBbJc1WfortRbhl+Bvql3E9l+Zli/LmR2ueAQDjNG2duTzUvVBZiVD+kIJYlz NWptnS+c8CHLnMnOo9+ClrE+wF3agDrz8euRy5JIshsD86BT2gqNx1qw0Aer/+msd4XL c6ww== X-Gm-Message-State: AOJu0YxSJPQ7XE8YF0vQeSF0JBIwiGsCkIshNBVO0SMIbzpoHCw7HVH3 U/n8ZwbEUQXx9BMgudTiAtlGqcpffG9tVvMIMGKvI46i2kbi3u4TzPEZWZGimjg2DujnfC59FzX i+/8KA7tT3E3o40v0q+aAWxb+lIVzykfx X-Google-Smtp-Source: AGHT+IGVHdSYoqFyOL8wA8kFKoF9kyAvjFnX7sGZlEtoD+FokVYRhF4kVoIeChefF16nf8/wnzsjDqMWV05LzztPQ/k= X-Received: by 2002:a5b:18d:0:b0:dcb:e82c:f7f with SMTP id r13-20020a5b018d000000b00dcbe82c0f7fmr10563020ybl.12.1708291873659; Sun, 18 Feb 2024 13:31:13 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Mithun Bhattacharya Date: Sun, 18 Feb 2024 15:31:01 -0600 Message-ID: To: mod_perl list Subject: Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request users X-BeenThere: hangout-at-nylxs.com X-Mailman-Version: 2.1.30rc1 List-Id: NYLXS Tech Talk and Politics List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0393243486==" Errors-To: hangout-bounces-at-nylxs.com Sender: "Hangout" --===============0393243486== Content-Type: multipart/alternative; boundary="0000000000004d5df60611aeb2f2" --0000000000004d5df60611aeb2f2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Could you clarify this - 2.17 has a critical bug and 2.18 is about to come out which doesn't have a good enough patch so how would trunk be any better= ? Also how is this passing make test or were the test cases modified to make the bug pass ? On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer wro= te: > Trunk is the safe bet. > > Joe Schaefer, Ph.D. > > Orion - The Enterprise Jamstack Wiki > > > 954.253.3732 > > > > > On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya .com> > wrote: > >> So is there a cleaner/saner version of libapreq2 or is the 2012 version >> better ? >> >> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer = wrote: >> >>> For the past 25 years, I have been the lead developer of the libapreq2 >>> subproject within the Apache HTTPd Server Parent Project. The original = idea >>> of libapreq as a safe/performant HTML form and Cookie parsing library c= ame >>> out of a collaboration between Lincoln Stein and Doug MacEachern in the >>> late 90s. >>> >>> It was my vision back then to transform the library into a generic, >>> non-Perl related C library that would support language bindings from ot= her >>> programming languages, which is why I pushed for the project to be home= s >>> under the HTTPd umbrella instead of the Apache-Perl project. >>> >>> While this vision was wildly successful, with language bindings >>> available for several languages like Perl, TCL, R, etc, ever since abou= t >>> 2010 its proven tragic for the existing user community consisting of al= l of >>> them, not just Perl. >>> >>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the >>> time, started agitating that we promote the project to be released from >>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very we= ll back then >>> was how utterly vapid and territorial that team had become, which would >>> have meant having to collaborate with them directly on user-facing >>> decisions about the code base. >>> >>> In 2012, Philip got what he wanted and I stopped resisting, so he forke= d >>> the existing project and copied the C library components into HTTPd cor= e. >>> >>> In 2016 I resigned from the Foundation en masse. You can guess the >>> reasons. >>> >>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an alph= a release >>> of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few >>> hotspots that needed repair. >>> >>> Instead of having the courtesy of reaching out to me, or anyone else >>> involved in development of apreq, a junior engineer on the HTTPd team w= ent >>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities = Google found. You >>> can see a record of his trial and error work in every release since the= n. >>> >>> But the coup de grace was the 2022 release of 2.17, wherein the rookie >>> developer purposely introduced a fatal bug into the codebase, breaking = a >>> fifteen year old regression test. >>> >>> If you are wondering how something with a broken regression test winds >>> up on CPAN, you=E2=80=99ll have to look into how RELENG is done in the = server >>> project. >>> >>> Long story short, they commented out the test and shipped it anyway, an= d >>> called it a Security Release that fixed a vulnerability every prior rel= ease >>> was susceptible to. >>> >>> Why do I care now? Because I=E2=80=99m the sucker users reach out to fo= r answers >>> as a known subject matter expert. >>> >>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing the = Superman >>> cape at Apache ended 8 years ago. >>> >>> -- >>> Joe Schaefer, Ph.D. >>> >>> Orion - The Enterprise Jamstack Wiki >>> >>> >>> 954.253.3732 >>> >>> >>> --0000000000004d5df60611aeb2f2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Could you clarify this - 2.17 has a critical bug and= 2.18 is about to come out which doesn't have a good enough patch so ho= w would trunk be any better? uto">Also how is this passing make test or were the test cases modified to = make the bug pass ? =3D"ltr" class=3D"gmail_attr">On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Sch= aefer <joe-at-sunstarsys.com> = wrote: x;border-left:1px #ccc solid;padding-left:1ex"> Trunk is t= he safe bet. =3D"gmail_signature" data-smartmail=3D"gmail_signature"> Jo= e Schaefer, Ph.D. atures" target=3D"_blank" rel=3D"noreferrer">usercontent.com/mail-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx4= 5P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> .com/orion/features" target=3D"_blank" rel=3D"noreferrer">Orion - The Enter= prise Jamstack Wiki <unstarsys.com" target=3D"_blank" rel=3D"noreferrer">joe-at-sunstarsys.com&= gt; errer">954.253.3732 v> dir=3D"ltr" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM M= ithun Bhattacharya <" rel=3D"noreferrer">mithnb-at-gmail.com> wrote: lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;= padding-left:1ex"> So is there a cleaner/saner version of = libapreq2 or is the 2012 version better ? e"> On Sun, Feb 18, 2024, 12:58=E2=80= =AFPM Joe Schaefer <nk" rel=3D"noreferrer">joe-at-sunstarsys.com> wrote: te class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc so= lid;padding-left:1ex"> );font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-colo= r:rgb(246,246,239)">For the past 25 years, I have been the lead developer o= f the libapreq2 subproject within the Apache HTTPd Server Parent Project. T= he original idea of libapreq as a safe/performant HTML form and Cookie pars= ing library came out of a collaboration between Lincoln Stein and Doug MacE= achern in the late 90s. y:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,24= 6,239)">It was my vision back then to transform the library into a generic,= non-Perl related C library that would support language bindings from other= programming languages, which is why I pushed for the project to be homes u= nder the HTTPd umbrella instead of the Apache-Perl project. color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3= 333px;background-color:rgb(246,246,239)">While this vision was wildly succe= ssful, with language bindings available for several languages like Perl, TC= L, R, etc, ever since about 2010 its proven tragic for the existing user co= mmunity consisting of all of them, not just Perl. 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">What happened? Philip Gollucci, a Perl/FreeB= SD olleague of mine at the time, started agitating that we promote the proj= ect to be released from inside the HTTPd server itself. What Philip didn=E2= =80=99t know very well back then was how utterly vapid and territorial that= team had become, which would have meant having to collaborate with them di= rectly on user-facing decisions about the code base. gb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;b= ackground-color:rgb(246,246,239)">In 2012, Philip got what he wanted and I = stopped resisting, so he forked the existing project and copied the C libra= ry components into HTTPd core. amily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(24= 6,246,239)">In 2016 I resigned from the Foundation en masse. You can guess = the reasons. va,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 202= 0 or so, Google=E2=80=99s Security Team took advantage of an alpha release = of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few hotspo= ts that needed repair. rdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,23= 9)">Instead of having the courtesy of reaching out to me, or anyone else in= volved in development of apreq, a junior engineer on the HTTPd team went ab= out the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Google= found. You can see a record of his trial and error work in every release s= ince then. ,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">But the = coup de grace was the 2022 release of 2.17, wherein the rookie developer pu= rposely introduced a fatal bug into the codebase, breaking a fifteen year o= ld regression test. na,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)"= >If you are wondering how something with a broken regression test winds up = on CPAN, you=E2=80=99ll have to look into how RELENG is done in the server = project. ans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">Long story= short, they commented out the test and shipped it anyway, and called it a = Security Release that fixed a vulnerability every prior release was suscept= ible to. ans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">Why do I c= are now? Because I=E2=80=99m the sucker users reach out to for answers as a= known subject matter expert. mily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246= ,246,239)">This sucks, but I=E2=80=99m sorry to tell you that my days weari= ng the Superman cape at Apache ended 8 years ago. lass=3D"gmail_signature_prefix">-- il_signature" data-smartmail=3D"gmail_signature"> Joe Schae= fer, Ph.D. rel=3D"noreferrer noreferrer" target=3D"_blank">ogleusercontent.com/mail-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9= ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> rsys.com/orion/features" rel=3D"noreferrer noreferrer" target=3D"_blank">Or= ion - The Enterprise Jamstack Wiki <=3D"mailto:joe-at-sunstarsys.com" rel=3D"noreferrer noreferrer" target=3D"_bla= nk">joe-at-sunstarsys.com> =3D"noreferrer noreferrer" target=3D"_blank">954.253.3732 > --0000000000004d5df60611aeb2f2-- --===============0393243486== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout --===============0393243486==-- --===============0393243486== Content-Type: multipart/alternative; boundary="0000000000004d5df60611aeb2f2" --0000000000004d5df60611aeb2f2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Could you clarify this - 2.17 has a critical bug and 2.18 is about to come out which doesn't have a good enough patch so how would trunk be any better= ? Also how is this passing make test or were the test cases modified to make the bug pass ? On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer wro= te: > Trunk is the safe bet. > > Joe Schaefer, Ph.D. > > Orion - The Enterprise Jamstack Wiki > > > 954.253.3732 > > > > > On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya .com> > wrote: > >> So is there a cleaner/saner version of libapreq2 or is the 2012 version >> better ? >> >> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer = wrote: >> >>> For the past 25 years, I have been the lead developer of the libapreq2 >>> subproject within the Apache HTTPd Server Parent Project. The original = idea >>> of libapreq as a safe/performant HTML form and Cookie parsing library c= ame >>> out of a collaboration between Lincoln Stein and Doug MacEachern in the >>> late 90s. >>> >>> It was my vision back then to transform the library into a generic, >>> non-Perl related C library that would support language bindings from ot= her >>> programming languages, which is why I pushed for the project to be home= s >>> under the HTTPd umbrella instead of the Apache-Perl project. >>> >>> While this vision was wildly successful, with language bindings >>> available for several languages like Perl, TCL, R, etc, ever since abou= t >>> 2010 its proven tragic for the existing user community consisting of al= l of >>> them, not just Perl. >>> >>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the >>> time, started agitating that we promote the project to be released from >>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very we= ll back then >>> was how utterly vapid and territorial that team had become, which would >>> have meant having to collaborate with them directly on user-facing >>> decisions about the code base. >>> >>> In 2012, Philip got what he wanted and I stopped resisting, so he forke= d >>> the existing project and copied the C library components into HTTPd cor= e. >>> >>> In 2016 I resigned from the Foundation en masse. You can guess the >>> reasons. >>> >>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an alph= a release >>> of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few >>> hotspots that needed repair. >>> >>> Instead of having the courtesy of reaching out to me, or anyone else >>> involved in development of apreq, a junior engineer on the HTTPd team w= ent >>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities = Google found. You >>> can see a record of his trial and error work in every release since the= n. >>> >>> But the coup de grace was the 2022 release of 2.17, wherein the rookie >>> developer purposely introduced a fatal bug into the codebase, breaking = a >>> fifteen year old regression test. >>> >>> If you are wondering how something with a broken regression test winds >>> up on CPAN, you=E2=80=99ll have to look into how RELENG is done in the = server >>> project. >>> >>> Long story short, they commented out the test and shipped it anyway, an= d >>> called it a Security Release that fixed a vulnerability every prior rel= ease >>> was susceptible to. >>> >>> Why do I care now? Because I=E2=80=99m the sucker users reach out to fo= r answers >>> as a known subject matter expert. >>> >>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing the = Superman >>> cape at Apache ended 8 years ago. >>> >>> -- >>> Joe Schaefer, Ph.D. >>> >>> Orion - The Enterprise Jamstack Wiki >>> >>> >>> 954.253.3732 >>> >>> >>> --0000000000004d5df60611aeb2f2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Could you clarify this - 2.17 has a critical bug and= 2.18 is about to come out which doesn't have a good enough patch so ho= w would trunk be any better? uto">Also how is this passing make test or were the test cases modified to = make the bug pass ? =3D"ltr" class=3D"gmail_attr">On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Sch= aefer <joe-at-sunstarsys.com> = wrote: x;border-left:1px #ccc solid;padding-left:1ex"> Trunk is t= he safe bet. =3D"gmail_signature" data-smartmail=3D"gmail_signature"> Jo= e Schaefer, Ph.D. atures" target=3D"_blank" rel=3D"noreferrer">usercontent.com/mail-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx4= 5P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> .com/orion/features" target=3D"_blank" rel=3D"noreferrer">Orion - The Enter= prise Jamstack Wiki <unstarsys.com" target=3D"_blank" rel=3D"noreferrer">joe-at-sunstarsys.com&= gt; errer">954.253.3732 v> dir=3D"ltr" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM M= ithun Bhattacharya <" rel=3D"noreferrer">mithnb-at-gmail.com> wrote: lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;= padding-left:1ex"> So is there a cleaner/saner version of = libapreq2 or is the 2012 version better ? e"> On Sun, Feb 18, 2024, 12:58=E2=80= =AFPM Joe Schaefer <nk" rel=3D"noreferrer">joe-at-sunstarsys.com> wrote: te class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc so= lid;padding-left:1ex"> );font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-colo= r:rgb(246,246,239)">For the past 25 years, I have been the lead developer o= f the libapreq2 subproject within the Apache HTTPd Server Parent Project. T= he original idea of libapreq as a safe/performant HTML form and Cookie pars= ing library came out of a collaboration between Lincoln Stein and Doug MacE= achern in the late 90s. y:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,24= 6,239)">It was my vision back then to transform the library into a generic,= non-Perl related C library that would support language bindings from other= programming languages, which is why I pushed for the project to be homes u= nder the HTTPd umbrella instead of the Apache-Perl project. color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3= 333px;background-color:rgb(246,246,239)">While this vision was wildly succe= ssful, with language bindings available for several languages like Perl, TC= L, R, etc, ever since about 2010 its proven tragic for the existing user co= mmunity consisting of all of them, not just Perl. 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">What happened? Philip Gollucci, a Perl/FreeB= SD olleague of mine at the time, started agitating that we promote the proj= ect to be released from inside the HTTPd server itself. What Philip didn=E2= =80=99t know very well back then was how utterly vapid and territorial that= team had become, which would have meant having to collaborate with them di= rectly on user-facing decisions about the code base. gb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;b= ackground-color:rgb(246,246,239)">In 2012, Philip got what he wanted and I = stopped resisting, so he forked the existing project and copied the C libra= ry components into HTTPd core. amily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(24= 6,246,239)">In 2016 I resigned from the Foundation en masse. You can guess = the reasons. va,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 202= 0 or so, Google=E2=80=99s Security Team took advantage of an alpha release = of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few hotspo= ts that needed repair. rdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,23= 9)">Instead of having the courtesy of reaching out to me, or anyone else in= volved in development of apreq, a junior engineer on the HTTPd team went ab= out the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Google= found. You can see a record of his trial and error work in every release s= ince then. ,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">But the = coup de grace was the 2022 release of 2.17, wherein the rookie developer pu= rposely introduced a fatal bug into the codebase, breaking a fifteen year o= ld regression test. na,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)"= >If you are wondering how something with a broken regression test winds up = on CPAN, you=E2=80=99ll have to look into how RELENG is done in the server = project. ans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">Long story= short, they commented out the test and shipped it anyway, and called it a = Security Release that fixed a vulnerability every prior release was suscept= ible to. ans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">Why do I c= are now? Because I=E2=80=99m the sucker users reach out to for answers as a= known subject matter expert. mily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246= ,246,239)">This sucks, but I=E2=80=99m sorry to tell you that my days weari= ng the Superman cape at Apache ended 8 years ago. lass=3D"gmail_signature_prefix">-- il_signature" data-smartmail=3D"gmail_signature"> Joe Schae= fer, Ph.D. rel=3D"noreferrer noreferrer" target=3D"_blank">ogleusercontent.com/mail-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9= ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> rsys.com/orion/features" rel=3D"noreferrer noreferrer" target=3D"_blank">Or= ion - The Enterprise Jamstack Wiki <=3D"mailto:joe-at-sunstarsys.com" rel=3D"noreferrer noreferrer" target=3D"_bla= nk">joe-at-sunstarsys.com> =3D"noreferrer noreferrer" target=3D"_blank">954.253.3732 > --0000000000004d5df60611aeb2f2-- --===============0393243486== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout --===============0393243486==--