Thu Nov 21 23:41:05 2024
EVENTS
 FREE
SOFTWARE
INSTITUTE

POLITICS
JOBS
MEMBERS'
CORNER

MAILING
LIST

NYLXS Mailing Lists and Archives
NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2024-02-01

HANGOUT

2024-11-21 | 2024-10-21 | 2024-09-21 | 2024-08-21 | 2024-07-21 | 2024-06-21 | 2024-05-21 | 2024-04-21 | 2024-03-21 | 2024-02-21 | 2024-01-21 | 2023-12-21 | 2023-11-21 | 2023-10-21 | 2023-09-21 | 2023-08-21 | 2023-07-21 | 2023-06-21 | 2023-05-21 | 2023-04-21 | 2023-03-21 | 2023-02-21 | 2023-01-21 | 2022-12-21 | 2022-11-21 | 2022-10-21 | 2022-09-21 | 2022-08-21 | 2022-07-21 | 2022-06-21 | 2022-05-21 | 2022-04-21 | 2022-03-21 | 2022-02-21 | 2022-01-21 | 2021-12-21 | 2021-11-21 | 2021-10-21 | 2021-09-21 | 2021-08-21 | 2021-07-21 | 2021-06-21 | 2021-05-21 | 2021-04-21 | 2021-03-21 | 2021-02-21 | 2021-01-21 | 2020-12-21 | 2020-11-21 | 2020-10-21 | 2020-09-21 | 2020-08-21 | 2020-07-21 | 2020-06-21 | 2020-05-21 | 2020-04-21 | 2020-03-21 | 2020-02-21 | 2020-01-21 | 2019-12-21 | 2019-11-21 | 2019-10-21 | 2019-09-21 | 2019-08-21 | 2019-07-21 | 2019-06-21 | 2019-05-21 | 2019-04-21 | 2019-03-21 | 2019-02-21 | 2019-01-21 | 2018-12-21 | 2018-11-21 | 2018-10-21 | 2018-09-21 | 2018-08-21 | 2018-07-21 | 2018-06-21 | 2018-05-21 | 2018-04-21 | 2018-03-21 | 2018-02-21 | 2018-01-21 | 2017-12-21 | 2017-11-21 | 2017-10-21 | 2017-09-21 | 2017-08-21 | 2017-07-21 | 2017-06-21 | 2017-05-21 | 2017-04-21 | 2017-03-21 | 2017-02-21 | 2017-01-21 | 2016-12-21 | 2016-11-21 | 2016-10-21 | 2016-09-21 | 2016-08-21 | 2016-07-21 | 2016-06-21 | 2016-05-21 | 2016-04-21 | 2016-03-21 | 2016-02-21 | 2016-01-21 | 2015-12-21 | 2015-11-21 | 2015-10-21 | 2015-09-21 | 2015-08-21 | 2015-07-21 | 2015-06-21 | 2015-05-21 | 2015-04-21 | 2015-03-21 | 2015-02-21 | 2015-01-21 | 2014-12-21 | 2014-11-21 | 2014-10-21 | 2014-09-21 | 2014-08-21 | 2014-07-21 | 2014-06-21 | 2014-05-21 | 2014-04-21 | 2014-03-21 | 2014-02-21 | 2014-01-21 | 2013-12-21 | 2013-11-21 | 2013-10-21 | 2013-09-21 | 2013-08-21 | 2013-07-21 | 2013-06-21 | 2013-05-21 | 2013-04-21 | 2013-03-21 | 2013-02-21 | 2013-01-21 | 2012-12-21 | 2012-11-21 | 2012-10-21 | 2012-09-21 | 2012-08-21 | 2012-07-21 | 2012-06-21 | 2012-05-21 | 2012-04-21 | 2012-03-21 | 2012-02-21 | 2012-01-21 | 2011-12-21 | 2011-11-21 | 2011-10-21 | 2011-09-21 | 2011-08-21 | 2011-07-21 | 2011-06-21 | 2011-05-21 | 2011-04-21 | 2011-03-21 | 2011-02-21 | 2011-01-21 | 2010-12-21 | 2010-11-21 | 2010-10-21 | 2010-09-21 | 2010-08-21 | 2010-07-21 | 2010-06-21 | 2010-05-21 | 2010-04-21 | 2010-03-21 | 2010-02-21 | 2010-01-21 | 2009-12-21 | 2009-11-21 | 2009-10-21 | 2009-09-21 | 2009-08-21 | 2009-07-21 | 2009-06-21 | 2009-05-21 | 2009-04-21 | 2009-03-21 | 2009-02-21 | 2009-01-21 | 2008-12-21 | 2008-11-21 | 2008-10-21 | 2008-09-21 | 2008-08-21 | 2008-07-21 | 2008-06-21 | 2008-05-21 | 2008-04-21 | 2008-03-21 | 2008-02-21 | 2008-01-21 | 2007-12-21 | 2007-11-21 | 2007-10-21 | 2007-09-21 | 2007-08-21 | 2007-07-21 | 2007-06-21 | 2007-05-21 | 2007-04-21 | 2007-03-21 | 2007-02-21 | 2007-01-21 | 2006-12-21 | 2006-11-21 | 2006-10-21 | 2006-09-21 | 2006-08-21 | 2006-07-21 | 2006-06-21 | 2006-05-21 | 2006-04-21 | 2006-03-21 | 2006-02-21 | 2006-01-21 | 2005-12-21 | 2005-11-21 | 2005-10-21 | 2005-09-21 | 2005-08-21 | 2005-07-21 | 2005-06-21 | 2005-05-21 | 2005-04-21 | 2005-03-21 | 2005-02-21 | 2005-01-21 | 2004-12-21 | 2004-11-21 | 2004-10-21 | 2004-09-21 | 2004-08-21 | 2004-07-21 | 2004-06-21 | 2004-05-21 | 2004-04-21 | 2004-03-21 | 2004-02-21 | 2004-01-21 | 2003-12-21 | 2003-11-21 | 2003-10-21 | 2003-09-21 | 2003-08-21 | 2003-07-21 | 2003-06-21 | 2003-05-21 | 2003-04-21 | 2003-03-21 | 2003-02-21 | 2003-01-21 | 2002-12-21 | 2002-11-21 | 2002-10-21 | 2002-09-21 | 2002-08-21 | 2002-07-21 | 2002-06-21 | 2002-05-21 | 2002-04-21 | 2002-03-21 | 2002-02-21 | 2002-01-21 | 2001-12-21 | 2001-11-21 | 2001-10-21 | 2001-09-21 | 2001-08-21 | 2001-07-21 | 2001-06-21 | 2001-05-21 | 2001-04-21 | 2001-03-21 | 2001-02-21 | 2001-01-21 | 2000-12-21 | 2000-11-21 | 2000-10-21 | 2000-09-21 | 2000-08-21 | 2000-07-21 | 2000-06-21 | 2000-05-21 | 2000-04-21 | 2000-03-21 | 2000-02-21 | 2000-01-21 | 1999-12-21

Key: Value:

Key: Value:

MESSAGE
DATE 2024-02-18
FROM Mithun Bhattacharya
SUBJECT Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
From hangout-bounces-at-nylxs.com Sun Feb 18 23:52:16 2024
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82])
by mrbrklyn.com (Postfix) with ESMTP id 28CD6164136;
Sun, 18 Feb 2024 23:52:15 -0500 (EST)
X-Original-To: hangout-at-www2.mrbrklyn.com
Delivered-To: hangout-at-www2.mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 1000)
id CCF831640EC; Sun, 18 Feb 2024 23:46:39 -0500 (EST)
Resent-From: Ruben Safir
Resent-Date: Sun, 18 Feb 2024 23:46:38 -0500
Resent-Message-ID: <20240219044638.GU20445-at-www2.mrbrklyn.com>
Resent-To: hangout-at-mrbrklyn.com
X-Original-To: ruben-at-mrbrklyn.com
Delivered-To: ruben-at-mrbrklyn.com
Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org
[3.227.148.255])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "*.apache.org",
Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified))
by mrbrklyn.com (Postfix) with ESMTPS id 221AE1640A3
for ; Sun, 18 Feb 2024 14:11:31 -0500 (EST)
Received: from mail.apache.org (mailgw-he-de.apache.org [116.203.246.181])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(No client certificate requested)
by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with
ESMTPS id 2D14845295
for ; Sun, 18 Feb 2024 19:11:30 +0000 (UTC)
Received: (qmail 1289937 invoked by uid 998); 18 Feb 2024 19:11:24 -0000
Mailing-List: contact modperl-help-at-perl.apache.org; run by ezmlm
Precedence: bulk
Delivered-To: mailing list modperl-at-perl.apache.org
Received: (qmail 1289924 invoked by uid 116); 18 Feb 2024 19:11:23 -0000
Received: from spamproc1-he-fi.apache.org (HELO spamproc1-he-fi.apache.org)
(95.217.134.168)
by apache.org (qpsmtpd/0.94) with ESMTP; Sun, 18 Feb 2024 19:11:23 +0000
Authentication-Results: apache.org; auth=none
Received: from localhost (localhost [127.0.0.1])
by spamproc1-he-fi.apache.org (ASF Mail Server at spamproc1-he-fi.apache.org)
with ESMTP id C193BC1234
for ; Sun, 18 Feb 2024 19:11:23 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamproc1-he-fi.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, SPF_PASS=-0.001,
T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001]
autolearn=disabled
Authentication-Results: spamproc1-he-fi.apache.org (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-he-de.apache.org ([116.203.227.195])
by localhost (spamproc1-he-fi.apache.org [95.217.134.168]) (amavisd-new,
port 10024) with ESMTP id jMKEYk5DSlyr for ;
Sun, 18 Feb 2024 19:11:23 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=2607:f8b0:4864:20::931; helo=mail-ua1-x931.google.com;
envelope-from=mithnb-at-gmail.com; receiver=
Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com
[IPv6:2607:f8b0:4864:20::931])
by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS
id D34B37E61A
for ; Sun, 18 Feb 2024 19:11:22 +0000 (UTC)
Received: by mail-ua1-x931.google.com with SMTP id
a1e0cc1a2514c-7d5bfdd2366so1656787241.3
for ; Sun, 18 Feb 2024 11:11:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1708283481; x=1708888281; darn=perl.apache.org;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:from:to:cc:subject:date:message-id:reply-to;
bh=+AEwg/FlHfkjABh024dPGuSPuFjq3Hh7w0mBp0r04Vw=;
b=PSUMqoAUXCmFHyOMfzdpGgVPpaDiXiFCQdF+O/k4Nywpc1QGo6BTw/r0az6chYIOGf
eK4gPnIPyjNtFhMsw79By7v2mcUlRsWLJ7s/IQAwfpQkp2uQ2ICuAFpfqL7I3rCpkf7+
jfD4AJZZALbokNnK8Eaa6CPiG4RFwz3cUFd9K3N7yyai1NKrKdY8xkID5WnclRo/IZ/+
h7qIM3jEON0YtmX8W1Kex5xy684VOXtLDq+EMVgO6SPEIo1Qz4PSHSgEjJ3gsHosauFe
7jSIoR4NYLlvOVxy8F/5Jkz8I320E7jh37TSBtGmc+kEz1i5TcV1ULdwiov9Ugh95H2z
iErQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1708283481; x=1708888281;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=+AEwg/FlHfkjABh024dPGuSPuFjq3Hh7w0mBp0r04Vw=;
b=twBH//Fb9vF1yN/D8mOcvlVnZ3Xgofh3ImSboZ3Kouovm64FfhAy1BjPvKDcpOVKTG
NpIbfsJO2RpF390b8rCV55pzrRD9r/eDsCEc7b9OFP1ydJMYKqyqm5SCvNFMz92K8E13
Xa8sZKFRPEOiSF9OB1zP2G0Cg0NWsh5z5s8x1V0uA8hCIGEZNCzxw9SYDKuiKvRQ51ul
c5lBe4UFJYJWyu8PnFjCpnRa9u5fAyF6HG22xDhv4OqG/hNqcFrtFMwtGFvR/UP0gZlr
AWKHyxjczgudXevyz15mIjp8xvQJWJQpJzT51bQjFcT463DXYJXoVyCv7EDsCnt4eyEb
Ma6g==
X-Gm-Message-State: AOJu0YwjVQnZeMX0o7nsW50GqLnk5GekzBHziOmIOisyxYDKpcwpKTfD
AziCvnI3p423l3qWEFkdqQQrC4MMb43xjh8PAAlQbN+WzK+Hrffa9XZIWyElT+y2N8rG708B4I9
EZO88fXl71aq0ToYxgLDwq9u84XXxyBFk
X-Google-Smtp-Source: AGHT+IE4+pSCo1bUYkg6V5Momchx/4I678zCmmOHXfBYR8pvp7TrGsSw5vVbKPvnojyQCECzF3ycLlfm7W7a5l2REsM=
X-Received: by 2002:a05:6102:3223:b0:46e:dfcc:8015 with SMTP id
x3-20020a056102322300b0046edfcc8015mr7790879vsf.29.1708283481287; Sun, 18 Feb
2024 11:11:21 -0800 (PST)
MIME-Version: 1.0
References:
In-Reply-To:
From: Mithun Bhattacharya
Date: Sun, 18 Feb 2024 13:11:09 -0600
Message-ID:
To: mod_perl list
Subject: Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
Apache2::Request users
X-BeenThere: hangout-at-nylxs.com
X-Mailman-Version: 2.1.30rc1
List-Id: NYLXS Tech Talk and Politics
List-Unsubscribe: ,

List-Archive:
List-Post:
List-Help:
List-Subscribe: ,

Content-Type: multipart/mixed; boundary="===============0034233032=="
Errors-To: hangout-bounces-at-nylxs.com
Sender: "Hangout"

--===============0034233032==
Content-Type: multipart/alternative; boundary="00000000000013f47c0611acbe99"

--00000000000013f47c0611acbe99
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

So is there a cleaner/saner version of libapreq2 or is the 2012 version
better ?

On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer wr=
ote:

> For the past 25 years, I have been the lead developer of the libapreq2
> subproject within the Apache HTTPd Server Parent Project. The original id=
ea
> of libapreq as a safe/performant HTML form and Cookie parsing library cam=
e
> out of a collaboration between Lincoln Stein and Doug MacEachern in the
> late 90s.
>
> It was my vision back then to transform the library into a generic,
> non-Perl related C library that would support language bindings from othe=
r
> programming languages, which is why I pushed for the project to be homes
> under the HTTPd umbrella instead of the Apache-Perl project.
>
> While this vision was wildly successful, with language bindings available
> for several languages like Perl, TCL, R, etc, ever since about 2010 its
> proven tragic for the existing user community consisting of all of them,
> not just Perl.
>
> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the
> time, started agitating that we promote the project to be released from
> inside the HTTPd server itself. What Philip didn=E2=80=99t know very well=
back then
> was how utterly vapid and territorial that team had become, which would
> have meant having to collaborate with them directly on user-facing
> decisions about the code base.
>
> In 2012, Philip got what he wanted and I stopped resisting, so he forked
> the existing project and copied the C library components into HTTPd core.
>
> In 2016 I resigned from the Foundation en masse. You can guess the reason=
s.
>
> In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha =
release
> of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few
> hotspots that needed repair.
>
> Instead of having the courtesy of reaching out to me, or anyone else
> involved in development of apreq, a junior engineer on the HTTPd team wen=
t
> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Go=
ogle found. You
> can see a record of his trial and error work in every release since then.
>
> But the coup de grace was the 2022 release of 2.17, wherein the rookie
> developer purposely introduced a fatal bug into the codebase, breaking a
> fifteen year old regression test.
>
> If you are wondering how something with a broken regression test winds up
> on CPAN, you=E2=80=99ll have to look into how RELENG is done in the serve=
r project.
>
> Long story short, they commented out the test and shipped it anyway, and
> called it a Security Release that fixed a vulnerability every prior relea=
se
> was susceptible to.
>
> Why do I care now? Because I=E2=80=99m the sucker users reach out to for =
answers
> as a known subject matter expert.
>
> This sucks, but I=E2=80=99m sorry to tell you that my days wearing the Su=
perman
> cape at Apache ended 8 years ago.
>
> --
> Joe Schaefer, Ph.D.
>
> Orion - The Enterprise Jamstack Wiki
>
>
> 954.253.3732
>
>
>

--00000000000013f47c0611acbe99
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

So is there a cleaner/saner version of libapreq2 or is th=
e 2012 version better ?

" class=3D"gmail_attr">On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer =
<joe-at-sunstarsys.com> wrote:=

er-left:1px #ccc solid;padding-left:1ex">
lor:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.333=
3px;background-color:rgb(246,246,239)">For the past 25 years, I have been t=
he lead developer of the libapreq2 subproject within the Apache HTTPd Serve=
r Parent Project. The original idea of libapreq as a safe/performant HTML f=
orm and Cookie parsing library came out of a collaboration between Lincoln =
Stein and Doug MacEachern in the late 90s.

130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou=
nd-color:rgb(246,246,239)">It was my vision back then to transform the libr=
ary into a generic, non-Perl related C library that would support language =
bindings from other programming languages, which is why I pushed for the pr=
oject to be homes under the HTTPd umbrella instead of the Apache-Perl proje=
ct.

erif;font-size:13.3333px;background-color:rgb(246,246,239)">While this visi=
on was wildly successful, with language bindings available for several lang=
uages like Perl, TCL, R, etc, ever since about 2010 its proven tragic for t=
he existing user community consisting of all of them, not just Perl.

style=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-=
size:13.3333px;background-color:rgb(246,246,239)">What happened? Philip Gol=
lucci, a Perl/FreeBSD olleague of mine at the time, started agitating that =
we promote the project to be released from inside the HTTPd server itself. =
What Philip didn=E2=80=99t know very well back then was how utterly vapid a=
nd territorial that team had become, which would have meant having to colla=
borate with them directly on user-facing decisions about the code base.

=

nt-size:13.3333px;background-color:rgb(246,246,239)">In 2012, Philip got wh=
at he wanted and I stopped resisting, so he forked the existing project and=
copied the C library components into HTTPd core.

130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back=
ground-color:rgb(246,246,239)">In 2016 I resigned from the Foundation en ma=
sse. You can guess the reasons.

family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(2=
46,246,239)">In 2020 or so, Google=E2=80=99s Security Team took advantage o=
f an alpha release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It=
found a few hotspots that needed repair.

130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-c=
olor:rgb(246,246,239)">Instead of having the courtesy of reaching out to me=
, or anyone else involved in development of apreq, a junior engineer on the=
HTTPd team went about the business of =E2=80=9Cbug fixing=E2=80=9D the vul=
nerabilities Google found. You can see a record of his trial and error work=
in every release since then.

mily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246=
,246,239)">But the coup de grace was the 2022 release of 2.17, wherein the =
rookie developer purposely introduced a fatal bug into the codebase, breaki=
ng a fifteen year old regression test.

);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-colo=
r:rgb(246,246,239)">If you are wondering how something with a broken regres=
sion test winds up on CPAN, you=E2=80=99ll have to look into how RELENG is =
done in the server project.

ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2=
46,239)">Long story short, they commented out the test and shipped it anywa=
y, and called it a Security Release that fixed a vulnerability every prior =
release was susceptible to.

ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2=
46,239)">Why do I care now? Because I=E2=80=99m the sucker users reach out =
to for answers as a known subject matter expert.

30,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backg=
round-color:rgb(246,246,239)">This sucks, but I=E2=80=99m sorry to tell you=
that my days wearing the Superman cape at Apache ended 8 years ago.

v>
--



--00000000000013f47c0611acbe99--

--===============0034233032==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout

--===============0034233032==--

--===============0034233032==
Content-Type: multipart/alternative; boundary="00000000000013f47c0611acbe99"

--00000000000013f47c0611acbe99
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

So is there a cleaner/saner version of libapreq2 or is the 2012 version
better ?

On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer wr=
ote:

> For the past 25 years, I have been the lead developer of the libapreq2
> subproject within the Apache HTTPd Server Parent Project. The original id=
ea
> of libapreq as a safe/performant HTML form and Cookie parsing library cam=
e
> out of a collaboration between Lincoln Stein and Doug MacEachern in the
> late 90s.
>
> It was my vision back then to transform the library into a generic,
> non-Perl related C library that would support language bindings from othe=
r
> programming languages, which is why I pushed for the project to be homes
> under the HTTPd umbrella instead of the Apache-Perl project.
>
> While this vision was wildly successful, with language bindings available
> for several languages like Perl, TCL, R, etc, ever since about 2010 its
> proven tragic for the existing user community consisting of all of them,
> not just Perl.
>
> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the
> time, started agitating that we promote the project to be released from
> inside the HTTPd server itself. What Philip didn=E2=80=99t know very well=
back then
> was how utterly vapid and territorial that team had become, which would
> have meant having to collaborate with them directly on user-facing
> decisions about the code base.
>
> In 2012, Philip got what he wanted and I stopped resisting, so he forked
> the existing project and copied the C library components into HTTPd core.
>
> In 2016 I resigned from the Foundation en masse. You can guess the reason=
s.
>
> In 2020 or so, Google=E2=80=99s Security Team took advantage of an alpha =
release
> of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few
> hotspots that needed repair.
>
> Instead of having the courtesy of reaching out to me, or anyone else
> involved in development of apreq, a junior engineer on the HTTPd team wen=
t
> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabilities Go=
ogle found. You
> can see a record of his trial and error work in every release since then.
>
> But the coup de grace was the 2022 release of 2.17, wherein the rookie
> developer purposely introduced a fatal bug into the codebase, breaking a
> fifteen year old regression test.
>
> If you are wondering how something with a broken regression test winds up
> on CPAN, you=E2=80=99ll have to look into how RELENG is done in the serve=
r project.
>
> Long story short, they commented out the test and shipped it anyway, and
> called it a Security Release that fixed a vulnerability every prior relea=
se
> was susceptible to.
>
> Why do I care now? Because I=E2=80=99m the sucker users reach out to for =
answers
> as a known subject matter expert.
>
> This sucks, but I=E2=80=99m sorry to tell you that my days wearing the Su=
perman
> cape at Apache ended 8 years ago.
>
> --
> Joe Schaefer, Ph.D.
>
> Orion - The Enterprise Jamstack Wiki
>
>
> 954.253.3732
>
>
>

--00000000000013f47c0611acbe99
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

So is there a cleaner/saner version of libapreq2 or is th=
e 2012 version better ?

" class=3D"gmail_attr">On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer =
<joe-at-sunstarsys.com> wrote:=

er-left:1px #ccc solid;padding-left:1ex">
lor:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.333=
3px;background-color:rgb(246,246,239)">For the past 25 years, I have been t=
he lead developer of the libapreq2 subproject within the Apache HTTPd Serve=
r Parent Project. The original idea of libapreq as a safe/performant HTML f=
orm and Cookie parsing library came out of a collaboration between Lincoln =
Stein and Doug MacEachern in the late 90s.

130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou=
nd-color:rgb(246,246,239)">It was my vision back then to transform the libr=
ary into a generic, non-Perl related C library that would support language =
bindings from other programming languages, which is why I pushed for the pr=
oject to be homes under the HTTPd umbrella instead of the Apache-Perl proje=
ct.

erif;font-size:13.3333px;background-color:rgb(246,246,239)">While this visi=
on was wildly successful, with language bindings available for several lang=
uages like Perl, TCL, R, etc, ever since about 2010 its proven tragic for t=
he existing user community consisting of all of them, not just Perl.

style=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-=
size:13.3333px;background-color:rgb(246,246,239)">What happened? Philip Gol=
lucci, a Perl/FreeBSD olleague of mine at the time, started agitating that =
we promote the project to be released from inside the HTTPd server itself. =
What Philip didn=E2=80=99t know very well back then was how utterly vapid a=
nd territorial that team had become, which would have meant having to colla=
borate with them directly on user-facing decisions about the code base.

=

nt-size:13.3333px;background-color:rgb(246,246,239)">In 2012, Philip got wh=
at he wanted and I stopped resisting, so he forked the existing project and=
copied the C library components into HTTPd core.

130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back=
ground-color:rgb(246,246,239)">In 2016 I resigned from the Foundation en ma=
sse. You can guess the reasons.

family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(2=
46,246,239)">In 2020 or so, Google=E2=80=99s Security Team took advantage o=
f an alpha release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It=
found a few hotspots that needed repair.

130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-c=
olor:rgb(246,246,239)">Instead of having the courtesy of reaching out to me=
, or anyone else involved in development of apreq, a junior engineer on the=
HTTPd team went about the business of =E2=80=9Cbug fixing=E2=80=9D the vul=
nerabilities Google found. You can see a record of his trial and error work=
in every release since then.

mily:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246=
,246,239)">But the coup de grace was the 2022 release of 2.17, wherein the =
rookie developer purposely introduced a fatal bug into the codebase, breaki=
ng a fifteen year old regression test.

);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;background-colo=
r:rgb(246,246,239)">If you are wondering how something with a broken regres=
sion test winds up on CPAN, you=E2=80=99ll have to look into how RELENG is =
done in the server project.

ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2=
46,239)">Long story short, they commented out the test and shipped it anywa=
y, and called it a Security Release that fixed a vulnerability every prior =
release was susceptible to.

ly:Verdana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,2=
46,239)">Why do I care now? Because I=E2=80=99m the sucker users reach out =
to for answers as a known subject matter expert.

30,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backg=
round-color:rgb(246,246,239)">This sucks, but I=E2=80=99m sorry to tell you=
that my days wearing the Superman cape at Apache ended 8 years ago.

v>
--



--00000000000013f47c0611acbe99--

--===============0034233032==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout

--===============0034233032==--

  1. 2024-02-01 From: "Free Software Foundation" <info-at-fsf.org> Subject: [Hangout - NYLXS] Free Software Supporter -- Issue 190,
  2. 2024-02-01 Sandy Dave <sandy-at-esolvit.com> Subject: [Hangout - NYLXS] (#4976) Front-End Web Developer/Web Designer in
  3. 2024-02-05 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #654 - Perl and FOSDEM
  4. 2024-02-07 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Censorship has always been part of the publishing
  5. 2024-02-08 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Look below for the key paragraph here - note we
  6. 2024-02-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Indian response to Muslim Imperialism
  7. 2024-02-08 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Anything they want to do, they just do...
  8. 2024-02-09 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] odoo - if it is hallf of what they say it is
  9. 2024-02-11 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] the depths of the Nazi involvement with the UN in
  10. 2024-02-11 mayer ilovitz <pmamayeri-at-gmail.com> Re: [Hangout - NYLXS] the depths of the Nazi involvement with the
  11. 2024-02-11 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Tech and archeology
  12. 2024-02-12 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] The Hezbollah Threat - why war in the north can
  13. 2024-02-13 NYOUG <execdir-at-nyoug.org> Subject: [Hangout - NYLXS] Upcoming Events for Oracle Professionals
  14. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] It is open so it much be good. What can go wrong
  15. 2024-02-14 mayer ilovitz <pmamayeri-at-gmail.com> Subject: [Hangout - NYLXS] putting the NY CD 3 special election into
  16. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] this really just needs to be seen without my
  17. 2024-02-15 mayer ilovitz <pmamayeri-at-gmail.com> Re: [Hangout - NYLXS] this really just needs to be seen without my
  18. 2024-02-15 mayer ilovitz <pmamayeri-at-gmail.com> Subject: [Hangout - NYLXS] =?utf-8?q?washingtonpost=2Ecom_12/14/24=3A_?=
  19. 2024-02-16 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] [gcc-bugs-at-gcc.gnu.org: ` ` Piano ` `]
  20. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  21. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  22. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  23. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  24. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  25. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  26. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  27. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  28. 2024-02-15 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] static code analysis for Perl5 code?
  29. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  30. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request
  31. 2024-02-15 Joseph He <joseph.he.2008-at-gmail.com> Subject: [Hangout - NYLXS] static code analysis for Perl5 code?
  32. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  33. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  34. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  35. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  36. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  37. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Subject: [Hangout - NYLXS] Case-sensitive $r->param?
  38. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  39. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  40. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  41. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  42. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Reviving the mod_perl social network
  43. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  44. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  45. 2024-02-13 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Config Primer on mod_perl with mpm_event
  46. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  47. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  48. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  49. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  50. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  51. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  52. 2024-02-18 Mithun Bhattacharya <mithnb-at-gmail.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  53. 2024-02-15 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] static code analysis for Perl5 code?
  54. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request
  55. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  56. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  57. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  58. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  59. 2024-02-14 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  60. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  61. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Reviving the mod_perl social network
  62. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  63. 2024-02-15 Joseph He <joseph.he.2008-at-gmail.com> Subject: [Hangout - NYLXS] static code analysis for Perl5 code?
  64. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  65. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  66. 2024-02-14 From: "Randolf Richardson" <randolf-at-modperl.pl> Subject: [Hangout - NYLXS] Case-sensitive $r->param?
  67. 2024-02-13 Joe Schaefer <joe-at-sunstarsys.com> Subject: [Hangout - NYLXS] Config Primer on mod_perl with mpm_event
  68. 2024-02-18 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
  69. 2024-02-14 Ed Sabol <edwardjsabol-at-gmail.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  70. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] how to make :Sealed subs reentrant...
  71. 2024-02-14 Joe Schaefer <joe-at-sunstarsys.com> Re: [Hangout - NYLXS] Case-sensitive $r->param?
  72. 2024-02-19 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #656 - Perl Conference
  73. 2024-02-19 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #656 - Perl Conference
  74. 2024-02-19 mayer ilovitz <pmamayeri-at-gmail.com> Subject: [Hangout - NYLXS] JP 2/19/24: The Truth About the Dearborn Jihad
  75. 2024-02-19 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] kashmir
  76. 2024-02-19 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] ill let you figure this out..
  77. 2024-02-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Non-systemd Distos
  78. 2024-02-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Lets play a game - what is this crap
  79. 2024-02-20 NYOUG <execdir-at-nyoug.org> Subject: [Hangout - NYLXS] Upcoming Events for Oracle Professionals
  80. 2024-02-21 James E Keenan <jkeenan-at-pobox.com> Subject: [Hangout - NYLXS] March 11 NY Perlmongers Social Meeting - Peculier
  81. 2024-02-22 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Massive Russian Cyber Attack paralizes healthcare
  82. 2024-02-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Just can not get right and wrong straigt
  83. 2024-02-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] cudu is being "open sourced"
  84. 2024-02-23 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] rembrandts
  85. 2024-02-23 Evgeny Grin <k2k-at-narod.ru> Subject: [Hangout - NYLXS] GNU libmicrohttpd v1.0.1 released
  86. 2024-02-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] firefox security and webassembly and VMS
  87. 2024-02-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] FWIW - from my daughter..
  88. 2024-02-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Listening to it in first account is very sobbering
  89. 2024-02-27 From: "Miriam Bastian, FSF" <info-at-fsf.org> Subject: [Hangout - NYLXS] Exciting talks, hands-on workshops,
  90. 2024-02-26 Touro Graduate School of Technology <info.gst-at-touro.edu> Subject: [Hangout - NYLXS] Workshop Tonight: Ethics In AI Workshop : Feb
  91. 2024-02-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Donate $20 and put your name up
  92. 2024-02-29 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Fwd: Contracting News: February 2024 Vendor
  93. 2024-02-29 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Swoden and the 4th amendment and this President
  94. 2024-02-24 Walt Mankowski <waltman-at-pobox.com> Re: [Hangout - NYLXS] March 11 NY Perlmongers Social Meeting -

NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!