MESSAGE
DATE | 2024-02-18 |
FROM | Mithun Bhattacharya
|
SUBJECT | Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
|
From hangout-bounces-at-nylxs.com Sun Feb 18 23:52:16 2024 Return-Path: X-Original-To: archive-at-mrbrklyn.com Delivered-To: archive-at-mrbrklyn.com Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82]) by mrbrklyn.com (Postfix) with ESMTP id 28CD6164136; Sun, 18 Feb 2024 23:52:15 -0500 (EST) X-Original-To: hangout-at-www2.mrbrklyn.com Delivered-To: hangout-at-www2.mrbrklyn.com Received: by mrbrklyn.com (Postfix, from userid 1000) id CCF831640EC; Sun, 18 Feb 2024 23:46:39 -0500 (EST) Resent-From: Ruben Safir Resent-Date: Sun, 18 Feb 2024 23:46:38 -0500 Resent-Message-ID: <20240219044638.GU20445-at-www2.mrbrklyn.com> Resent-To: hangout-at-mrbrklyn.com X-Original-To: ruben-at-mrbrklyn.com Delivered-To: ruben-at-mrbrklyn.com Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.apache.org", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mrbrklyn.com (Postfix) with ESMTPS id 221AE1640A3 for ; Sun, 18 Feb 2024 14:11:31 -0500 (EST) Received: from mail.apache.org (mailgw-he-de.apache.org [116.203.246.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with ESMTPS id 2D14845295 for ; Sun, 18 Feb 2024 19:11:30 +0000 (UTC) Received: (qmail 1289937 invoked by uid 998); 18 Feb 2024 19:11:24 -0000 Mailing-List: contact modperl-help-at-perl.apache.org; run by ezmlm Precedence: bulk Delivered-To: mailing list modperl-at-perl.apache.org Received: (qmail 1289924 invoked by uid 116); 18 Feb 2024 19:11:23 -0000 Received: from spamproc1-he-fi.apache.org (HELO spamproc1-he-fi.apache.org) (95.217.134.168) by apache.org (qpsmtpd/0.94) with ESMTP; Sun, 18 Feb 2024 19:11:23 +0000 Authentication-Results: apache.org; auth=none Received: from localhost (localhost [127.0.0.1]) by spamproc1-he-fi.apache.org (ASF Mail Server at spamproc1-he-fi.apache.org) with ESMTP id C193BC1234 for ; Sun, 18 Feb 2024 19:11:23 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamproc1-he-fi.apache.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamproc1-he-fi.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([116.203.227.195]) by localhost (spamproc1-he-fi.apache.org [95.217.134.168]) (amavisd-new, port 10024) with ESMTP id jMKEYk5DSlyr for ; Sun, 18 Feb 2024 19:11:23 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::931; helo=mail-ua1-x931.google.com; envelope-from=mithnb-at-gmail.com; receiver= Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id D34B37E61A for ; Sun, 18 Feb 2024 19:11:22 +0000 (UTC) Received: by mail-ua1-x931.google.com with SMTP id a1e0cc1a2514c-7d5bfdd2366so1656787241.3 for ; Sun, 18 Feb 2024 11:11:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708283481; x=1708888281; darn=perl.apache.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=+AEwg/FlHfkjABh024dPGuSPuFjq3Hh7w0mBp0r04Vw=; b=PSUMqoAUXCmFHyOMfzdpGgVPpaDiXiFCQdF+O/k4Nywpc1QGo6BTw/r0az6chYIOGf eK4gPnIPyjNtFhMsw79By7v2mcUlRsWLJ7s/IQAwfpQkp2uQ2ICuAFpfqL7I3rCpkf7+ jfD4AJZZALbokNnK8Eaa6CPiG4RFwz3cUFd9K3N7yyai1NKrKdY8xkID5WnclRo/IZ/+ h7qIM3jEON0YtmX8W1Kex5xy684VOXtLDq+EMVgO6SPEIo1Qz4PSHSgEjJ3gsHosauFe 7jSIoR4NYLlvOVxy8F/5Jkz8I320E7jh37TSBtGmc+kEz1i5TcV1ULdwiov9Ugh95H2z iErQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708283481; x=1708888281; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+AEwg/FlHfkjABh024dPGuSPuFjq3Hh7w0mBp0r04Vw=; b=twBH//Fb9vF1yN/D8mOcvlVnZ3Xgofh3ImSboZ3Kouovm64FfhAy1BjPvKDcpOVKTG NpIbfsJO2RpF390b8rCV55pzrRD9r/eDsCEc7b9OFP1ydJMYKqyqm5SCvNFMz92K8E13 Xa8sZKFRPEOiSF9OB1zP2G0Cg0NWsh5z5s8x1V0uA8hCIGEZNCzxw9SYDKuiKvRQ51ul c5lBe4UFJYJWyu8PnFjCpnRa9u5fAyF6HG22xDhv4OqG/hNqcFrtFMwtGFvR/UP0gZlr AWKHyxjczgudXevyz15mIjp8xvQJWJQpJzT51bQjFcT463DXYJXoVyCv7EDsCnt4eyEb Ma6g== X-Gm-Message-State: AOJu0YwjVQnZeMX0o7nsW50GqLnk5GekzBHziOmIOisyxYDKpcwpKTfD AziCvnI3p423l3qWEFkdqQQrC4MMb43xjh8PAAlQbN+WzK+Hrffa9XZIWyElT+y2N8rG708B4I9 EZO88fXl71aq0ToYxgLDwq9u84XXxyBFk X-Google-Smtp-Source: AGHT+IE4+pSCo1bUYkg6V5Momchx/4I678zCmmOHXfBYR8pvp7TrGsSw5vVbKPvnojyQCECzF3ycLlfm7W7a5l2REsM= X-Received: by 2002:a05:6102:3223:b0:46e:dfcc:8015 with SMTP id x3-20020a056102322300b0046edfcc8015mr7790879vsf.29.1708283481287; Sun, 18 Feb 2024 11:11:21 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Mithun Bhattacharya Date: Sun, 18 Feb 2024 13:11:09 -0600 Message-ID: To: mod_perl list Subject: Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request users X-BeenThere: hangout-at-nylxs.com X-Mailman-Version: 2.1.30rc1 List-Id: NYLXS Tech Talk and Politics List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0034233032==" Errors-To: hangout-bounces-at-nylxs.com Sender: "Hangout"
--===============0034233032== Content-Type: multipart/alternative; boundary="00000000000013f47c0611acbe99"
--00000000000013f47c0611acbe99 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
So is there a cleaner/saner version of libapreq2 or is the 2012 version better ?
On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer wr= ote:
> For the past 25 years, I have been the lead developer of the libapreq2 > subproject within the Apache HTTPd Server Parent Project. The original id= ea > of libapreq as a safe/performant HTML form and Cookie parsing library cam= e > out of a collaboration between Lincoln Stein and Doug MacEachern in the > late 90s. > > It was my vision back then to transform the library into a generic, > non-Perl related C library that would support language bindings from othe= r > programming languages, which is why I pushed for the project to be homes > under the HTTPd umbrella instead of the Apache-Perl project. > > While this vision was wildly successful, with language bindings available > for several languages like Perl, TCL, R, etc, ever since about 2010 its > proven tragic for the existing user community consisting of all of them, > not just Perl. > > What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the > time, started agitating that we promote the project to be released from > inside the HTTPd server itself. What Philip didn=E2=80=99t know very well= back then > was how utterly vapid and territorial that team had become, which would > have meant having to collaborate with them directly on user-facing > decisions about the code base. > > In 2012, Philip got what he wanted and I stopped resisting, so he forked > the existing project and copied the C library components into HTTPd core. > > In 2016 I resigned from the Foundation en masse. You can guess the reason= s. > > In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha = release > of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few > hotspots that needed repair. > > Instead of having the courtesy of reaching out to me, or anyone else > involved in development of apreq, a junior engineer on the HTTPd team wen= t > about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Go= ogle found. You > can see a record of his trial and error work in every release since then. > > But the coup de grace was the 2022 release of 2.17, wherein the rookie > developer purposely introduced a fatal bug into the codebase, breaking a > fifteen year old regression test. > > If you are wondering how something with a broken regression test winds up > on CPAN, you=E2=80=99ll have to look into how RELENG is done in the serve= r project. > > Long story short, they commented out the test and shipped it anyway, and > called it a Security Release that fixed a vulnerability every prior relea= se > was susceptible to. > > Why do I care now? Because I=E2=80=99m the sucker users reach out to for = answers > as a known subject matter expert. > > This sucks, but I=E2=80=99m sorry to tell you that my days wearing the Su= perman > cape at Apache ended 8 years ago. > > -- > Joe Schaefer, Ph.D. > > Orion - The Enterprise Jamstack Wiki > > > 954.253.3732 /954.253.3732> > > >
--00000000000013f47c0611acbe99 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
So is there a cleaner/saner version of libapreq2 or is th= e 2012 version better ?
" class=3D"gmail_attr">On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer = < joe-at-sunstarsys.com> wrote:= er-left:1px #ccc solid;padding-left:1ex">lor:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.333= 3px;background-color:rgb(246,246,239)">For the past 25 years, I have been t= he lead developer of the libapreq2 subproject within the Apache HTTPd Serve= r Parent Project. The original idea of libapreq as a safe/performant HTML f= orm and Cookie parsing library came out of a collaboration between Lincoln = Stein and Doug MacEachern in the late 90s.130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">It was my vision back then to transform the libr= ary into a generic, non-Perl related C library that would support language = bindings from other programming languages, which is why I pushed for the pr= oject to be homes under the HTTPd umbrella instead of the Apache-Perl proje= ct. erif;font-size:13.3333px;background-color:rgb(246,246,239)">While this visi= on was wildly successful, with language bindings available for several lang= uages like Perl, TCL, R, etc, ever since about 2010 its proven tragic for t= he existing user community consisting of all of them, not just Perl. style=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-= size:13.3333px;background-color:rgb(246,246,239)">What happened? Philip Gol= lucci, a Perl/FreeBSD olleague of mine at the time, started agitating that = we promote the project to be released from inside the HTTPd server itself. = What Philip didn=E2=80=99t know very well back then was how utterly vapid a= nd territorial that team had become, which would have meant having to colla= borate with them directly on user-facing decisions about the code base. = nt-size:13.3333px;background-color:rgb(246,246,239)">In 2012, Philip got wh= at he wanted and I stopped resisting, so he forked the existing project and= copied the C library components into HTTPd core. 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">In 2016 I resigned from the Foundation en ma= sse. You can guess the reasons. family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(2= 46,246,239)">In 2020 or so, Google=E2=80=99s Security Team took advantage o= f an alpha release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It= found a few hotspots that needed repair. 130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-c= olor:rgb(246,246,239)">Instead of having the courtesy of reaching out to me= , or anyone else involved in development of apreq, a junior engineer on the= HTTPd team went about the business of =E2=80=9Cbug fixing=E2=80=9D the vul= nerabilities Google found. You can see a record of his trial and error work= in every release since then. mily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246= ,246,239)">But the coup de grace was the 2022 release of 2.17, wherein the = rookie developer purposely introduced a fatal bug into the codebase, breaki= ng a fifteen year old regression test. );font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-colo= r:rgb(246,246,239)">If you are wondering how something with a broken regres= sion test winds up on CPAN, you=E2=80=99ll have to look into how RELENG is = done in the server project. ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2= 46,239)">Long story short, they commented out the test and shipped it anywa= y, and called it a Security Release that fixed a vulnerability every prior = release was susceptible to. ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2= 46,239)">Why do I care now? Because I=E2=80=99m the sucker users reach out = to for answers as a known subject matter expert. 30,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backg= round-color:rgb(246,246,239)">This sucks, but I=E2=80=99m sorry to tell you= that my days wearing the Superman cape at Apache ended 8 years ago. v>
--
=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_signature"> dir=3D"ltr">Joe Schaefer, Ph.D.
--00000000000013f47c0611acbe99--
--===============0034233032== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
_______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout
--===============0034233032==--
--===============0034233032== Content-Type: multipart/alternative; boundary="00000000000013f47c0611acbe99"
--00000000000013f47c0611acbe99 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
So is there a cleaner/saner version of libapreq2 or is the 2012 version better ?
On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer wr= ote:
> For the past 25 years, I have been the lead developer of the libapreq2 > subproject within the Apache HTTPd Server Parent Project. The original id= ea > of libapreq as a safe/performant HTML form and Cookie parsing library cam= e > out of a collaboration between Lincoln Stein and Doug MacEachern in the > late 90s. > > It was my vision back then to transform the library into a generic, > non-Perl related C library that would support language bindings from othe= r > programming languages, which is why I pushed for the project to be homes > under the HTTPd umbrella instead of the Apache-Perl project. > > While this vision was wildly successful, with language bindings available > for several languages like Perl, TCL, R, etc, ever since about 2010 its > proven tragic for the existing user community consisting of all of them, > not just Perl. > > What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the > time, started agitating that we promote the project to be released from > inside the HTTPd server itself. What Philip didn=E2=80=99t know very well= back then > was how utterly vapid and territorial that team had become, which would > have meant having to collaborate with them directly on user-facing > decisions about the code base. > > In 2012, Philip got what he wanted and I stopped resisting, so he forked > the existing project and copied the C library components into HTTPd core. > > In 2016 I resigned from the Foundation en masse. You can guess the reason= s. > > In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha = release > of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few > hotspots that needed repair. > > Instead of having the courtesy of reaching out to me, or anyone else > involved in development of apreq, a junior engineer on the HTTPd team wen= t > about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Go= ogle found. You > can see a record of his trial and error work in every release since then. > > But the coup de grace was the 2022 release of 2.17, wherein the rookie > developer purposely introduced a fatal bug into the codebase, breaking a > fifteen year old regression test. > > If you are wondering how something with a broken regression test winds up > on CPAN, you=E2=80=99ll have to look into how RELENG is done in the serve= r project. > > Long story short, they commented out the test and shipped it anyway, and > called it a Security Release that fixed a vulnerability every prior relea= se > was susceptible to. > > Why do I care now? Because I=E2=80=99m the sucker users reach out to for = answers > as a known subject matter expert. > > This sucks, but I=E2=80=99m sorry to tell you that my days wearing the Su= perman > cape at Apache ended 8 years ago. > > -- > Joe Schaefer, Ph.D. > > Orion - The Enterprise Jamstack Wiki > > > 954.253.3732 /954.253.3732> > > >
--00000000000013f47c0611acbe99 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
So is there a cleaner/saner version of libapreq2 or is th= e 2012 version better ?
" class=3D"gmail_attr">On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer = < joe-at-sunstarsys.com> wrote:= er-left:1px #ccc solid;padding-left:1ex">lor:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.333= 3px;background-color:rgb(246,246,239)">For the past 25 years, I have been t= he lead developer of the libapreq2 subproject within the Apache HTTPd Serve= r Parent Project. The original idea of libapreq as a safe/performant HTML f= orm and Cookie parsing library came out of a collaboration between Lincoln = Stein and Doug MacEachern in the late 90s.130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">It was my vision back then to transform the libr= ary into a generic, non-Perl related C library that would support language = bindings from other programming languages, which is why I pushed for the pr= oject to be homes under the HTTPd umbrella instead of the Apache-Perl proje= ct. erif;font-size:13.3333px;background-color:rgb(246,246,239)">While this visi= on was wildly successful, with language bindings available for several lang= uages like Perl, TCL, R, etc, ever since about 2010 its proven tragic for t= he existing user community consisting of all of them, not just Perl. style=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-= size:13.3333px;background-color:rgb(246,246,239)">What happened? Philip Gol= lucci, a Perl/FreeBSD olleague of mine at the time, started agitating that = we promote the project to be released from inside the HTTPd server itself. = What Philip didn=E2=80=99t know very well back then was how utterly vapid a= nd territorial that team had become, which would have meant having to colla= borate with them directly on user-facing decisions about the code base. = nt-size:13.3333px;background-color:rgb(246,246,239)">In 2012, Philip got wh= at he wanted and I stopped resisting, so he forked the existing project and= copied the C library components into HTTPd core. 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">In 2016 I resigned from the Foundation en ma= sse. You can guess the reasons. family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(2= 46,246,239)">In 2020 or so, Google=E2=80=99s Security Team took advantage o= f an alpha release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It= found a few hotspots that needed repair. 130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-c= olor:rgb(246,246,239)">Instead of having the courtesy of reaching out to me= , or anyone else involved in development of apreq, a junior engineer on the= HTTPd team went about the business of =E2=80=9Cbug fixing=E2=80=9D the vul= nerabilities Google found. You can see a record of his trial and error work= in every release since then. mily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246= ,246,239)">But the coup de grace was the 2022 release of 2.17, wherein the = rookie developer purposely introduced a fatal bug into the codebase, breaki= ng a fifteen year old regression test. );font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-colo= r:rgb(246,246,239)">If you are wondering how something with a broken regres= sion test winds up on CPAN, you=E2=80=99ll have to look into how RELENG is = done in the server project. ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2= 46,239)">Long story short, they commented out the test and shipped it anywa= y, and called it a Security Release that fixed a vulnerability every prior = release was susceptible to. ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2= 46,239)">Why do I care now? Because I=E2=80=99m the sucker users reach out = to for answers as a known subject matter expert. 30,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backg= round-color:rgb(246,246,239)">This sucks, but I=E2=80=99m sorry to tell you= that my days wearing the Superman cape at Apache ended 8 years ago. v>
--
=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_signature"> dir=3D"ltr">Joe Schaefer, Ph.D.
--00000000000013f47c0611acbe99--
--===============0034233032== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
_______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout
--===============0034233032==--
|
|