Thu Nov 21 23:54:40 2024
EVENTS
 FREE
SOFTWARE
INSTITUTE
 POLITICS
 JOBS
 MEMBERS'
CORNER
 MAILING
LIST
NYLXS Mailing Lists and Archives
NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2024-02-01

HANGOUT

2024-11-21 | 2024-10-21 | 2024-09-21 | 2024-08-21 | 2024-07-21 | 2024-06-21 | 2024-05-21 | 2024-04-21 | 2024-03-21 | 2024-02-21 | 2024-01-21 | 2023-12-21 | 2023-11-21 | 2023-10-21 | 2023-09-21 | 2023-08-21 | 2023-07-21 | 2023-06-21 | 2023-05-21 | 2023-04-21 | 2023-03-21 | 2023-02-21 | 2023-01-21 | 2022-12-21 | 2022-11-21 | 2022-10-21 | 2022-09-21 | 2022-08-21 | 2022-07-21 | 2022-06-21 | 2022-05-21 | 2022-04-21 | 2022-03-21 | 2022-02-21 | 2022-01-21 | 2021-12-21 | 2021-11-21 | 2021-10-21 | 2021-09-21 | 2021-08-21 | 2021-07-21 | 2021-06-21 | 2021-05-21 | 2021-04-21 | 2021-03-21 | 2021-02-21 | 2021-01-21 | 2020-12-21 | 2020-11-21 | 2020-10-21 | 2020-09-21 | 2020-08-21 | 2020-07-21 | 2020-06-21 | 2020-05-21 | 2020-04-21 | 2020-03-21 | 2020-02-21 | 2020-01-21 | 2019-12-21 | 2019-11-21 | 2019-10-21 | 2019-09-21 | 2019-08-21 | 2019-07-21 | 2019-06-21 | 2019-05-21 | 2019-04-21 | 2019-03-21 | 2019-02-21 | 2019-01-21 | 2018-12-21 | 2018-11-21 | 2018-10-21 | 2018-09-21 | 2018-08-21 | 2018-07-21 | 2018-06-21 | 2018-05-21 | 2018-04-21 | 2018-03-21 | 2018-02-21 | 2018-01-21 | 2017-12-21 | 2017-11-21 | 2017-10-21 | 2017-09-21 | 2017-08-21 | 2017-07-21 | 2017-06-21 | 2017-05-21 | 2017-04-21 | 2017-03-21 | 2017-02-21 | 2017-01-21 | 2016-12-21 | 2016-11-21 | 2016-10-21 | 2016-09-21 | 2016-08-21 | 2016-07-21 | 2016-06-21 | 2016-05-21 | 2016-04-21 | 2016-03-21 | 2016-02-21 | 2016-01-21 | 2015-12-21 | 2015-11-21 | 2015-10-21 | 2015-09-21 | 2015-08-21 | 2015-07-21 | 2015-06-21 | 2015-05-21 | 2015-04-21 | 2015-03-21 | 2015-02-21 | 2015-01-21 | 2014-12-21 | 2014-11-21 | 2014-10-21 | 2014-09-21 | 2014-08-21 | 2014-07-21 | 2014-06-21 | 2014-05-21 | 2014-04-21 | 2014-03-21 | 2014-02-21 | 2014-01-21 | 2013-12-21 | 2013-11-21 | 2013-10-21 | 2013-09-21 | 2013-08-21 | 2013-07-21 | 2013-06-21 | 2013-05-21 | 2013-04-21 | 2013-03-21 | 2013-02-21 | 2013-01-21 | 2012-12-21 | 2012-11-21 | 2012-10-21 | 2012-09-21 | 2012-08-21 | 2012-07-21 | 2012-06-21 | 2012-05-21 | 2012-04-21 | 2012-03-21 | 2012-02-21 | 2012-01-21 | 2011-12-21 | 2011-11-21 | 2011-10-21 | 2011-09-21 | 2011-08-21 | 2011-07-21 | 2011-06-21 | 2011-05-21 | 2011-04-21 | 2011-03-21 | 2011-02-21 | 2011-01-21 | 2010-12-21 | 2010-11-21 | 2010-10-21 | 2010-09-21 | 2010-08-21 | 2010-07-21 | 2010-06-21 | 2010-05-21 | 2010-04-21 | 2010-03-21 | 2010-02-21 | 2010-01-21 | 2009-12-21 | 2009-11-21 | 2009-10-21 | 2009-09-21 | 2009-08-21 | 2009-07-21 | 2009-06-21 | 2009-05-21 | 2009-04-21 | 2009-03-21 | 2009-02-21 | 2009-01-21 | 2008-12-21 | 2008-11-21 | 2008-10-21 | 2008-09-21 | 2008-08-21 | 2008-07-21 | 2008-06-21 | 2008-05-21 | 2008-04-21 | 2008-03-21 | 2008-02-21 | 2008-01-21 | 2007-12-21 | 2007-11-21 | 2007-10-21 | 2007-09-21 | 2007-08-21 | 2007-07-21 | 2007-06-21 | 2007-05-21 | 2007-04-21 | 2007-03-21 | 2007-02-21 | 2007-01-21 | 2006-12-21 | 2006-11-21 | 2006-10-21 | 2006-09-21 | 2006-08-21 | 2006-07-21 | 2006-06-21 | 2006-05-21 | 2006-04-21 | 2006-03-21 | 2006-02-21 | 2006-01-21 | 2005-12-21 | 2005-11-21 | 2005-10-21 | 2005-09-21 | 2005-08-21 | 2005-07-21 | 2005-06-21 | 2005-05-21 | 2005-04-21 | 2005-03-21 | 2005-02-21 | 2005-01-21 | 2004-12-21 | 2004-11-21 | 2004-10-21 | 2004-09-21 | 2004-08-21 | 2004-07-21 | 2004-06-21 | 2004-05-21 | 2004-04-21 | 2004-03-21 | 2004-02-21 | 2004-01-21 | 2003-12-21 | 2003-11-21 | 2003-10-21 | 2003-09-21 | 2003-08-21 | 2003-07-21 | 2003-06-21 | 2003-05-21 | 2003-04-21 | 2003-03-21 | 2003-02-21 | 2003-01-21 | 2002-12-21 | 2002-11-21 | 2002-10-21 | 2002-09-21 | 2002-08-21 | 2002-07-21 | 2002-06-21 | 2002-05-21 | 2002-04-21 | 2002-03-21 | 2002-02-21 | 2002-01-21 | 2001-12-21 | 2001-11-21 | 2001-10-21 | 2001-09-21 | 2001-08-21 | 2001-07-21 | 2001-06-21 | 2001-05-21 | 2001-04-21 | 2001-03-21 | 2001-02-21 | 2001-01-21 | 2000-12-21 | 2000-11-21 | 2000-10-21 | 2000-09-21 | 2000-08-21 | 2000-07-21 | 2000-06-21 | 2000-05-21 | 2000-04-21 | 2000-03-21 | 2000-02-21 | 2000-01-21 | 1999-12-21

Key: Value:

Key: Value:

MESSAGE
DATE 2024-02-18
FROM Joe Schaefer
SUBJECT Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
From hangout-bounces-at-nylxs.com Sun Feb 18 23:52:04 2024
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82])
by mrbrklyn.com (Postfix) with ESMTP id 40A5D164133;
Sun, 18 Feb 2024 23:52:03 -0500 (EST)
X-Original-To: hangout-at-www2.mrbrklyn.com
Delivered-To: hangout-at-www2.mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 1000)
id 410381640E4; Sun, 18 Feb 2024 23:46:38 -0500 (EST)
Resent-From: Ruben Safir
Resent-Date: Sun, 18 Feb 2024 23:46:37 -0500
Resent-Message-ID: <20240219044637.GS20445-at-www2.mrbrklyn.com>
Resent-To: hangout-at-mrbrklyn.com
X-Original-To: ruben-at-mrbrklyn.com
Delivered-To: ruben-at-mrbrklyn.com
Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org
[95.216.194.37])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "*.apache.org",
Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified))
by mrbrklyn.com (Postfix) with ESMTPS id A0BC11640A3
for ; Sun, 18 Feb 2024 14:12:40 -0500 (EST)
Received: from mail.apache.org (mailgw-he-de.apache.org
[IPv6:2a01:4f8:c2c:d4aa::1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with
ESMTPS id 89B3465157
for ; Sun, 18 Feb 2024 19:12:31 +0000 (UTC)
Received: (qmail 1292868 invoked by uid 998); 18 Feb 2024 19:12:26 -0000
Mailing-List: contact modperl-help-at-perl.apache.org; run by ezmlm
Precedence: bulk
Delivered-To: mailing list modperl-at-perl.apache.org
Received: (qmail 1292809 invoked by uid 116); 18 Feb 2024 19:12:26 -0000
Received: from spamproc1-he-fi.apache.org (HELO spamproc1-he-fi.apache.org)
(95.217.134.168)
by apache.org (qpsmtpd/0.94) with ESMTP; Sun, 18 Feb 2024 19:12:26 +0000
Authentication-Results: apache.org; auth=none
Received: from localhost (localhost [127.0.0.1])
by spamproc1-he-fi.apache.org (ASF Mail Server at spamproc1-he-fi.apache.org)
with ESMTP id D8BECC1234
for ; Sun, 18 Feb 2024 19:12:25 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamproc1-he-fi.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Level:
X-Spam-Status: No, score=0.004 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_MSPIKE_H3=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamproc1-he-fi.apache.org (amavisd-new);
dkim=pass (2048-bit key) header.d=sunstarsys.com
Received: from mx1-ec2-va.apache.org ([116.203.227.195])
by localhost (spamproc1-he-fi.apache.org [95.217.134.168]) (amavisd-new,
port 10024) with ESMTP id R2JhiUnxXy5s for ;
Sun, 18 Feb 2024 19:12:25 +0000 (UTC)
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=209.85.214.181;
helo=mail-pl1-f181.google.com; envelope-from=joe-at-sunstarsys.com;
receiver=
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com
[209.85.214.181])
by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with
ESMTPS id AB902C02CE
for ; Sun, 18 Feb 2024 19:12:17 +0000 (UTC)
Received: by mail-pl1-f181.google.com with SMTP id
d9443c01a7336-1da0cd9c0e5so34405415ad.0
for ; Sun, 18 Feb 2024 11:12:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sunstarsys.com; s=google; t=1708283531; x=1708888331; darn=perl.apache.org;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=UGK6ujZIOsko0TQO1oESYiuCvFZEsXomMaBqip/YCPY=;
b=ejtYJFs8WGrJVWxUHaQrxLrg0pWS66oRaInZ93i4WybbmWG8jDGi7FUs/IdsIYVI0+
lj3WOEMfe+uXb46ZbCweX40LJdgmoHIpTpK6kNoBlvw+hfWgL2t67AoEZqy5lwsAm33N
v/1zWIVMzIwFghMikZGBi5Pn6ueFZIGF25GYpkPegaReAJWmTXDECMSaLRVc80wv//ks
TVHEYk1JjsmdObEYwRdRULN0ogaRX6JmK9wAu2VNR1f365MzSyKrMNluLw6chO65h9kB
Bpj5jlat9HK+ap+Tdcn/Nr1wt9xSV2f0hDpkF/BXWVq5IL9/0Z4a4pt8uSzEKE73e+Y7
BF1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1708283531; x=1708888331;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=UGK6ujZIOsko0TQO1oESYiuCvFZEsXomMaBqip/YCPY=;
b=ESYrd0Depzg1Zo7oQ7+EgjvwN50yuRbRyU/k7nVcla6wuBeluF6MbOQlQmZeIxssAC
rMyH7rkdvHvqWBc6eDV11Pe3CTbQJNaZYyb0eawK6LOCRpK/c1CdPUj8neZljYB0so4i
gxgTEzMAI6uxdRfctNO/Z6RjjY+NHHG1IqPJzGdLrekLslXOtEzqOD7XG+B8QG33opHn
Ygov4dVxv/LEcRV0T22FNnPMltDY1LoAZ2TgvCVng9hZLlr4FPzOtUlTXl8hjfohlc9w
sZavk39tyITfMgTjZAc6L3K1iUyr+hVdh03zpwXMRKBB709IMOPbNaw5ADH+6xHd8MjS
bHUQ==
X-Gm-Message-State: AOJu0YyxDRrjFzh/gfLtXyWdTPIjJIRtFzVTUd42yywAWlp9vbDrOT8M
E0YUyucMfH+8M/GRn3HZqNu53ngWKssfmgdYa+Fx4TOZ6JmRop/SdK0lHpBsbszzP/Dsjcn9QvJ
l1JXcjHAJc+5XTtynEpLTBwjEuMnNVne1jFhYwg==
X-Google-Smtp-Source: AGHT+IGuJ+2bO6Xl8ngOWB050XrWtxvuCtjiRGm+mTiC5Kuw5WkjIlbfqj3Eqifs3Znt2QJG0z5KBtzc3uL7BhbP7L0=
X-Received: by 2002:a17:90a:d482:b0:299:4ae4:7a17 with SMTP id
s2-20020a17090ad48200b002994ae47a17mr6976470pju.15.1708283531169; Sun, 18 Feb
2024 11:12:11 -0800 (PST)
MIME-Version: 1.0
References:

In-Reply-To:
From: Joe Schaefer
Date: Sun, 18 Feb 2024 14:12:00 -0500
Message-ID:
To: Mithun Bhattacharya
Cc: mod_perl list
Subject: Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
Apache2::Request users
X-BeenThere: hangout-at-nylxs.com
X-Mailman-Version: 2.1.30rc1
List-Id: NYLXS Tech Talk and Politics
List-Unsubscribe: ,

List-Archive:
List-Post:
List-Help:
List-Subscribe: ,

Content-Type: multipart/mixed; boundary="===============2046266235=="
Errors-To: hangout-bounces-at-nylxs.com
Sender: "Hangout"

--===============2046266235==
Content-Type: multipart/alternative; boundary="0000000000000d3a860611acc10b"

--0000000000000d3a860611acc10b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Trunk is the safe bet.

Joe Schaefer, Ph.D.

Orion - The Enterprise Jamstack Wiki >

954.253.3732




On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya om>
wrote:

> So is there a cleaner/saner version of libapreq2 or is the 2012 version
> better ?
>
> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer =
wrote:
>
>> For the past 25 years, I have been the lead developer of the libapreq2
>> subproject within the Apache HTTPd Server Parent Project. The original i=
dea
>> of libapreq as a safe/performant HTML form and Cookie parsing library ca=
me
>> out of a collaboration between Lincoln Stein and Doug MacEachern in the
>> late 90s.
>>
>> It was my vision back then to transform the library into a generic,
>> non-Perl related C library that would support language bindings from oth=
er
>> programming languages, which is why I pushed for the project to be homes
>> under the HTTPd umbrella instead of the Apache-Perl project.
>>
>> While this vision was wildly successful, with language bindings availabl=
e
>> for several languages like Perl, TCL, R, etc, ever since about 2010 its
>> proven tragic for the existing user community consisting of all of them,
>> not just Perl.
>>
>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the
>> time, started agitating that we promote the project to be released from
>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very wel=
l back then
>> was how utterly vapid and territorial that team had become, which would
>> have meant having to collaborate with them directly on user-facing
>> decisions about the code base.
>>
>> In 2012, Philip got what he wanted and I stopped resisting, so he forked
>> the existing project and copied the C library components into HTTPd core=
.
>>
>> In 2016 I resigned from the Foundation en masse. You can guess the
>> reasons.
>>
>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha=
release
>> of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few
>> hotspots that needed repair.
>>
>> Instead of having the courtesy of reaching out to me, or anyone else
>> involved in development of apreq, a junior engineer on the HTTPd team we=
nt
>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities G=
oogle found. You
>> can see a record of his trial and error work in every release since then=
.
>>
>> But the coup de grace was the 2022 release of 2.17, wherein the rookie
>> developer purposely introduced a fatal bug into the codebase, breaking a
>> fifteen year old regression test.
>>
>> If you are wondering how something with a broken regression test winds u=
p
>> on CPAN, you=E2=80=99ll have to look into how RELENG is done in the serv=
er project.
>>
>> Long story short, they commented out the test and shipped it anyway, and
>> called it a Security Release that fixed a vulnerability every prior rele=
ase
>> was susceptible to.
>>
>> Why do I care now? Because I=E2=80=99m the sucker users reach out to for=
answers
>> as a known subject matter expert.
>>
>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing the S=
uperman
>> cape at Apache ended 8 years ago.
>>
>> --
>> Joe Schaefer, Ph.D.
>>
>> Orion - The Enterprise Jamstack Wiki
>>
>>
>> 954.253.3732
>>
>>
>>

--0000000000000d3a860611acc10b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable



class=3D"gmail_quote">
On Sun, Feb 18=
, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya <gmail.com">mithnb-at-gmail.com> wrote:
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex">
So is there a cleaner/saner version of libapreq2 =
or is the 2012 version better ?

r=3D"ltr" class=3D"gmail_attr">On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe S=
chaefer <joe-at-sun=
starsys.com> wrote:
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
=3D"ltr">ans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">For the pa=
st 25 years, I have been the lead developer of the libapreq2 subproject wit=
hin the Apache HTTPd Server Parent Project. The original idea of libapreq a=
s a safe/performant HTML form and Cookie parsing library came out of a coll=
aboration between Lincoln Stein and Doug MacEachern in the late 90s.=

nt-size:13.3333px;background-color:rgb(246,246,239)">It was my vision back =
then to transform the library into a generic, non-Perl related C library th=
at would support language bindings from other programming languages, which =
is why I pushed for the project to be homes under the HTTPd umbrella instea=
d of the Apache-Perl project.

mily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246=
,246,239)">While this vision was wildly successful, with language bindings =
available for several languages like Perl, TCL, R, etc, ever since about 20=
10 its proven tragic for the existing user community consisting of all of t=
hem, not just Perl.

na,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)"=
>What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the tim=
e, started agitating that we promote the project to be released from inside=
the HTTPd server itself. What Philip didn=E2=80=99t know very well back th=
en was how utterly vapid and territorial that team had become, which would =
have meant having to collaborate with them directly on user-facing decision=
s about the code base.

rdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,23=
9)">In 2012, Philip got what he wanted and I stopped resisting, so he forke=
d the existing project and copied the C library components into HTTPd core.=

f;font-size:13.3333px;background-color:rgb(246,246,239)">In 2016 I resigned=
from the Foundation en masse. You can guess the reasons.

lor:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.333=
3px;background-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=99s Secu=
rity Team took advantage of an alpha release of httpd 2.5 by fuzzing its 8 =
year old copy of apreq. It found a few hotspots that needed repair.

tyle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-s=
ize:13.3333px;background-color:rgb(246,246,239)">Instead of having the cour=
tesy of reaching out to me, or anyone else involved in development of apreq=
, a junior engineer on the HTTPd team went about the business of =E2=80=9Cb=
ug fixing=E2=80=9D the vulnerabilities Google found. You can see a record o=
f his trial and error work in every release since then.

r:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333p=
x;background-color:rgb(246,246,239)">But the coup de grace was the 2022 rel=
ease of 2.17, wherein the rookie developer purposely introduced a fatal bug=
into the codebase, breaking a fifteen year old regression test.

e=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size=
:13.3333px;background-color:rgb(246,246,239)">If you are wondering how some=
thing with a broken regression test winds up on CPAN, you=E2=80=99ll have t=
o look into how RELENG is done in the server project.

rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;=
background-color:rgb(246,246,239)">Long story short, they commented out the=
test and shipped it anyway, and called it a Security Release that fixed a =
vulnerability every prior release was susceptible to.

rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;=
background-color:rgb(246,246,239)">Why do I care now? Because I=E2=80=99m t=
he sucker users reach out to for answers as a known subject matter expert.<=
/p>

;font-size:13.3333px;background-color:rgb(246,246,239)">This sucks, but I=
=E2=80=99m sorry to tell you that my days wearing the Superman cape at Apac=
he ended 8 years ago.


ix">--
=3D"gmail_signature">
Joe Schaefer, Ph.D.
href=3D"https://sunstarsys.com/orion/features" rel=3D"noreferrer" target=
=3D"_blank">BF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4">a>
=




--0000000000000d3a860611acc10b--

--===============2046266235==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout

--===============2046266235==--

--===============2046266235==
Content-Type: multipart/alternative; boundary="0000000000000d3a860611acc10b"

--0000000000000d3a860611acc10b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Trunk is the safe bet.

Joe Schaefer, Ph.D.

Orion - The Enterprise Jamstack Wiki >

954.253.3732




On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya om>
wrote:

> So is there a cleaner/saner version of libapreq2 or is the 2012 version
> better ?
>
> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer =
wrote:
>
>> For the past 25 years, I have been the lead developer of the libapreq2
>> subproject within the Apache HTTPd Server Parent Project. The original i=
dea
>> of libapreq as a safe/performant HTML form and Cookie parsing library ca=
me
>> out of a collaboration between Lincoln Stein and Doug MacEachern in the
>> late 90s.
>>
>> It was my vision back then to transform the library into a generic,
>> non-Perl related C library that would support language bindings from oth=
er
>> programming languages, which is why I pushed for the project to be homes
>> under the HTTPd umbrella instead of the Apache-Perl project.
>>
>> While this vision was wildly successful, with language bindings availabl=
e
>> for several languages like Perl, TCL, R, etc, ever since about 2010 its
>> proven tragic for the existing user community consisting of all of them,
>> not just Perl.
>>
>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the
>> time, started agitating that we promote the project to be released from
>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very wel=
l back then
>> was how utterly vapid and territorial that team had become, which would
>> have meant having to collaborate with them directly on user-facing
>> decisions about the code base.
>>
>> In 2012, Philip got what he wanted and I stopped resisting, so he forked
>> the existing project and copied the C library components into HTTPd core=
.
>>
>> In 2016 I resigned from the Foundation en masse. You can guess the
>> reasons.
>>
>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha=
release
>> of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few
>> hotspots that needed repair.
>>
>> Instead of having the courtesy of reaching out to me, or anyone else
>> involved in development of apreq, a junior engineer on the HTTPd team we=
nt
>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities G=
oogle found. You
>> can see a record of his trial and error work in every release since then=
.
>>
>> But the coup de grace was the 2022 release of 2.17, wherein the rookie
>> developer purposely introduced a fatal bug into the codebase, breaking a
>> fifteen year old regression test.
>>
>> If you are wondering how something with a broken regression test winds u=
p
>> on CPAN, you=E2=80=99ll have to look into how RELENG is done in the serv=
er project.
>>
>> Long story short, they commented out the test and shipped it anyway, and
>> called it a Security Release that fixed a vulnerability every prior rele=
ase
>> was susceptible to.
>>
>> Why do I care now? Because I=E2=80=99m the sucker users reach out to for=
answers
>> as a known subject matter expert.
>>
>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing the S=
uperman
>> cape at Apache ended 8 years ago.
>>
>> --
>> Joe Schaefer, Ph.D.
>>
>> Orion - The Enterprise Jamstack Wiki
>>
>>
>> 954.253.3732
>>
>>
>>

--0000000000000d3a860611acc10b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable



class=3D"gmail_quote">
On Sun, Feb 18=
, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya <gmail.com">mithnb-at-gmail.com> wrote:
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex">
So is there a cleaner/saner version of libapreq2 =
or is the 2012 version better ?

r=3D"ltr" class=3D"gmail_attr">On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe S=
chaefer <joe-at-sun=
starsys.com> wrote:
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
=3D"ltr">ans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">For the pa=
st 25 years, I have been the lead developer of the libapreq2 subproject wit=
hin the Apache HTTPd Server Parent Project. The original idea of libapreq a=
s a safe/performant HTML form and Cookie parsing library came out of a coll=
aboration between Lincoln Stein and Doug MacEachern in the late 90s.=

nt-size:13.3333px;background-color:rgb(246,246,239)">It was my vision back =
then to transform the library into a generic, non-Perl related C library th=
at would support language bindings from other programming languages, which =
is why I pushed for the project to be homes under the HTTPd umbrella instea=
d of the Apache-Perl project.

mily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246=
,246,239)">While this vision was wildly successful, with language bindings =
available for several languages like Perl, TCL, R, etc, ever since about 20=
10 its proven tragic for the existing user community consisting of all of t=
hem, not just Perl.

na,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)"=
>What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the tim=
e, started agitating that we promote the project to be released from inside=
the HTTPd server itself. What Philip didn=E2=80=99t know very well back th=
en was how utterly vapid and territorial that team had become, which would =
have meant having to collaborate with them directly on user-facing decision=
s about the code base.

rdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,23=
9)">In 2012, Philip got what he wanted and I stopped resisting, so he forke=
d the existing project and copied the C library components into HTTPd core.=

f;font-size:13.3333px;background-color:rgb(246,246,239)">In 2016 I resigned=
from the Foundation en masse. You can guess the reasons.

lor:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.333=
3px;background-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=99s Secu=
rity Team took advantage of an alpha release of httpd 2.5 by fuzzing its 8 =
year old copy of apreq. It found a few hotspots that needed repair.

tyle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-s=
ize:13.3333px;background-color:rgb(246,246,239)">Instead of having the cour=
tesy of reaching out to me, or anyone else involved in development of apreq=
, a junior engineer on the HTTPd team went about the business of =E2=80=9Cb=
ug fixing=E2=80=9D the vulnerabilities Google found. You can see a record o=
f his trial and error work in every release since then.

r:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333p=
x;background-color:rgb(246,246,239)">But the coup de grace was the 2022 rel=
ease of 2.17, wherein the rookie developer purposely introduced a fatal bug=
into the codebase, breaking a fifteen year old regression test.

e=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size=
:13.3333px;background-color:rgb(246,246,239)">If you are wondering how some=
thing with a broken regression test winds up on CPAN, you=E2=80=99ll have t=
o look into how RELENG is done in the server project.

rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;=
background-color:rgb(246,246,239)">Long story short, they commented out the=
test and shipped it anyway, and called it a Security Release that fixed a =
vulnerability every prior release was susceptible to.

rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;=
background-color:rgb(246,246,239)">Why do I care now? Because I=E2=80=99m t=
he sucker users reach out to for answers as a known subject matter expert.<=
/p>

;font-size:13.3333px;background-color:rgb(246,246,239)">This sucks, but I=
=E2=80=99m sorry to tell you that my days wearing the Superman cape at Apac=
he ended 8 years ago.


ix">--
=3D"gmail_signature">
Joe Schaefer, Ph.D.
href=3D"https://sunstarsys.com/orion/features" rel=3D"noreferrer" target=
=3D"_blank">BF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4">a>
=




--0000000000000d3a860611acc10b--

--===============2046266235==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout

--===============2046266235==--

  1. 2024-02-01 From: "Free Software Foundation" <info-at-fsf.org> Subject: [Hangout - NYLXS] Free Software Supporter -- Issue 190,
  2. 2024-02-01 Sandy Dave <sandy-at-esolvit.com> Subject: [Hangout - NYLXS] (#4976) Front-End Web Developer/Web Designer in
  3. 2024-02-05 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #654 - Perl and FOSDEM
  4. 2024-02-07 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Censorship has always been part of the publishing
  5. 2024-02-08 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Look below for the key paragraph here - note we
  6. 2024-02-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Indian response to Muslim Imperialism
  7. 2024-02-08 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Anything they want to do, they just do...
  8. 2024-02-09 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] odoo - if it is hallf of what they say it is
  9. 2024-02-11 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] the depths of the Nazi involvement with the UN in
  10. 2024-02-11 mayer ilovitz <pmamayeri-at-gmail.com> Re: [Hangout - NYLXS] the depths of the Nazi involvement with the
  11. 2024-02-11 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Tech and archeology
  12. 2024-02-12 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] The Hezbollah Threat - why war in the north can
  13. 2024-02-13 NYOUG <execdir-at-nyoug.org> Subject: [Hangout - NYLXS] Upcoming Events for Oracle Professionals
  14. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] It is open so it much be good. What can go wrong
  15. 2024-02-14 mayer ilovitz <pmamayeri-at-gmail.com> Subject: [Hangout - NYLXS] putting the NY CD 3 special election into
  16. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] this really just needs to be seen without my
  17. 2024-02-15 mayer ilovitz <pmamayeri-at-gmail.com> Re: [Hangout - NYLXS] this really just needs to be seen without my
  18. 2024-02-15 mayer ilovitz <pmamayeri-at-gmail.com> Subject: [Hangout - NYLXS] =?utf-8?q?washingtonpost=2Ecom_12/14/24=3A_?=
  19. 2024-02-16 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] [gcc-bugs-at-gcc.gnu.org: ` ` Piano ` `]
  20. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  21. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  22. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  23. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  24. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  25. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  26. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  27. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  28. 2024-02-15 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] static code analysis for Perl5 code?
  29. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  30. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request
  31. 2024-02-15 Joseph He <joseph.he.2008-at-gmail.com> Subject: [Hangout - NYLXS] static code analysis for Perl5 code?
  32. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  33. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  34. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  35. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  36. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  37. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Subject: [Hangout - NYLXS] Case-sensitive $r->param?
  38. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  39. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  40. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  41. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  42. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Reviving the mod_perl social network
  43. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  44. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  45. 2024-02-13 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Config Primer on mod_perl with mpm_event
  46. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  47. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  48. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  49. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  50. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  51. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  52. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  53. 2024-02-15 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] static code analysis for Perl5 code?
  54. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request
  55. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  56. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  57. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  58. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  59. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  60. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  61. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Reviving the mod_perl social network
  62. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  63. 2024-02-15 Joseph He <joseph.he.2008-at-gmail.com> Subject: [Hangout - NYLXS] static code analysis for Perl5 code?
  64. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  65. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  66. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Subject: [Hangout - NYLXS] Case-sensitive $r->param?
  67. 2024-02-13 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Config Primer on mod_perl with mpm_event
  68. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  69. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  70. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  71. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  72. 2024-02-19 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #656 - Perl Conference
  73. 2024-02-19 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #656 - Perl Conference
  74. 2024-02-19 mayer ilovitz <pmamayeri-at-gmail.com> Subject: [Hangout - NYLXS] JP 2/19/24: The Truth About the Dearborn Jihad
  75. 2024-02-19 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] kashmir
  76. 2024-02-19 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] ill let you figure this out..
  77. 2024-02-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Non-systemd Distos
  78. 2024-02-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Lets play a game - what is this crap
  79. 2024-02-20 NYOUG <execdir-at-nyoug.org> Subject: [Hangout - NYLXS] Upcoming Events for Oracle Professionals
  80. 2024-02-21 James E Keenan <jkeenan-at-pobox.com> Subject: [Hangout - NYLXS] March 11 NY Perlmongers Social Meeting - Peculier
  81. 2024-02-22 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Massive Russian Cyber Attack paralizes healthcare
  82. 2024-02-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Just can not get right and wrong straigt
  83. 2024-02-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] cudu is being "open sourced"
  84. 2024-02-23 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] rembrandts
  85. 2024-02-23 Evgeny Grin <k2k-at-narod.ru> Subject: [Hangout - NYLXS] GNU libmicrohttpd v1.0.1 released
  86. 2024-02-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] firefox security and webassembly and VMS
  87. 2024-02-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] FWIW - from my daughter..
  88. 2024-02-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Listening to it in first account is very sobbering
  89. 2024-02-27 From: "Miriam Bastian, FSF" <info-at-fsf.org> Subject: [Hangout - NYLXS] Exciting talks, hands-on workshops,
  90. 2024-02-26 Touro Graduate School of Technology <info.gst-at-touro.edu> Subject: [Hangout - NYLXS] Workshop Tonight: Ethics In AI Workshop : Feb
  91. 2024-02-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Donate $20 and put your name up
  92. 2024-02-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Fwd: Contracting News: February 2024 Vendor
  93. 2024-02-29 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Swoden and the 4th amendment and this President
  94. 2024-02-24 Walt Mankowski <waltman-at-pobox.com> Re: [Hangout - NYLXS] March 11 NY Perlmongers Social Meeting -

NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!