NYLXS - Free Software Events

Thu Nov 21 23:36:06 2024

EVENTS

FREE
SOFTWARE
INSTITUTE

POLITICS

JOBS

MEMBERS'
CORNER

MAILING
LIST

NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2024-02-01

HANGOUT

2024-11-21 | 2024-10-21 | 2024-09-21 | 2024-08-21 | 2024-07-21 | 2024-06-21 | 2024-05-21 | 2024-04-21 | 2024-03-21 | 2024-02-21 | 2024-01-21 | 2023-12-21 | 2023-11-21 | 2023-10-21 | 2023-09-21 | 2023-08-21 | 2023-07-21 | 2023-06-21 | 2023-05-21 | 2023-04-21 | 2023-03-21 | 2023-02-21 | 2023-01-21 | 2022-12-21 | 2022-11-21 | 2022-10-21 | 2022-09-21 | 2022-08-21 | 2022-07-21 | 2022-06-21 | 2022-05-21 | 2022-04-21 | 2022-03-21 | 2022-02-21 | 2022-01-21 | 2021-12-21 | 2021-11-21 | 2021-10-21 | 2021-09-21 | 2021-08-21 | 2021-07-21 | 2021-06-21 | 2021-05-21 | 2021-04-21 | 2021-03-21 | 2021-02-21 | 2021-01-21 | 2020-12-21 | 2020-11-21 | 2020-10-21 | 2020-09-21 | 2020-08-21 | 2020-07-21 | 2020-06-21 | 2020-05-21 | 2020-04-21 | 2020-03-21 | 2020-02-21 | 2020-01-21 | 2019-12-21 | 2019-11-21 | 2019-10-21 | 2019-09-21 | 2019-08-21 | 2019-07-21 | 2019-06-21 | 2019-05-21 | 2019-04-21 | 2019-03-21 | 2019-02-21 | 2019-01-21 | 2018-12-21 | 2018-11-21 | 2018-10-21 | 2018-09-21 | 2018-08-21 | 2018-07-21 | 2018-06-21 | 2018-05-21 | 2018-04-21 | 2018-03-21 | 2018-02-21 | 2018-01-21 | 2017-12-21 | 2017-11-21 | 2017-10-21 | 2017-09-21 | 2017-08-21 | 2017-07-21 | 2017-06-21 | 2017-05-21 | 2017-04-21 | 2017-03-21 | 2017-02-21 | 2017-01-21 | 2016-12-21 | 2016-11-21 | 2016-10-21 | 2016-09-21 | 2016-08-21 | 2016-07-21 | 2016-06-21 | 2016-05-21 | 2016-04-21 | 2016-03-21 | 2016-02-21 | 2016-01-21 | 2015-12-21 | 2015-11-21 | 2015-10-21 | 2015-09-21 | 2015-08-21 | 2015-07-21 | 2015-06-21 | 2015-05-21 | 2015-04-21 | 2015-03-21 | 2015-02-21 | 2015-01-21 | 2014-12-21 | 2014-11-21 | 2014-10-21 | 2014-09-21 | 2014-08-21 | 2014-07-21 | 2014-06-21 | 2014-05-21 | 2014-04-21 | 2014-03-21 | 2014-02-21 | 2014-01-21 | 2013-12-21 | 2013-11-21 | 2013-10-21 | 2013-09-21 | 2013-08-21 | 2013-07-21 | 2013-06-21 | 2013-05-21 | 2013-04-21 | 2013-03-21 | 2013-02-21 | 2013-01-21 | 2012-12-21 | 2012-11-21 | 2012-10-21 | 2012-09-21 | 2012-08-21 | 2012-07-21 | 2012-06-21 | 2012-05-21 | 2012-04-21 | 2012-03-21 | 2012-02-21 | 2012-01-21 | 2011-12-21 | 2011-11-21 | 2011-10-21 | 2011-09-21 | 2011-08-21 | 2011-07-21 | 2011-06-21 | 2011-05-21 | 2011-04-21 | 2011-03-21 | 2011-02-21 | 2011-01-21 | 2010-12-21 | 2010-11-21 | 2010-10-21 | 2010-09-21 | 2010-08-21 | 2010-07-21 | 2010-06-21 | 2010-05-21 | 2010-04-21 | 2010-03-21 | 2010-02-21 | 2010-01-21 | 2009-12-21 | 2009-11-21 | 2009-10-21 | 2009-09-21 | 2009-08-21 | 2009-07-21 | 2009-06-21 | 2009-05-21 | 2009-04-21 | 2009-03-21 | 2009-02-21 | 2009-01-21 | 2008-12-21 | 2008-11-21 | 2008-10-21 | 2008-09-21 | 2008-08-21 | 2008-07-21 | 2008-06-21 | 2008-05-21 | 2008-04-21 | 2008-03-21 | 2008-02-21 | 2008-01-21 | 2007-12-21 | 2007-11-21 | 2007-10-21 | 2007-09-21 | 2007-08-21 | 2007-07-21 | 2007-06-21 | 2007-05-21 | 2007-04-21 | 2007-03-21 | 2007-02-21 | 2007-01-21 | 2006-12-21 | 2006-11-21 | 2006-10-21 | 2006-09-21 | 2006-08-21 | 2006-07-21 | 2006-06-21 | 2006-05-21 | 2006-04-21 | 2006-03-21 | 2006-02-21 | 2006-01-21 | 2005-12-21 | 2005-11-21 | 2005-10-21 | 2005-09-21 | 2005-08-21 | 2005-07-21 | 2005-06-21 | 2005-05-21 | 2005-04-21 | 2005-03-21 | 2005-02-21 | 2005-01-21 | 2004-12-21 | 2004-11-21 | 2004-10-21 | 2004-09-21 | 2004-08-21 | 2004-07-21 | 2004-06-21 | 2004-05-21 | 2004-04-21 | 2004-03-21 | 2004-02-21 | 2004-01-21 | 2003-12-21 | 2003-11-21 | 2003-10-21 | 2003-09-21 | 2003-08-21 | 2003-07-21 | 2003-06-21 | 2003-05-21 | 2003-04-21 | 2003-03-21 | 2003-02-21 | 2003-01-21 | 2002-12-21 | 2002-11-21 | 2002-10-21 | 2002-09-21 | 2002-08-21 | 2002-07-21 | 2002-06-21 | 2002-05-21 | 2002-04-21 | 2002-03-21 | 2002-02-21 | 2002-01-21 | 2001-12-21 | 2001-11-21 | 2001-10-21 | 2001-09-21 | 2001-08-21 | 2001-07-21 | 2001-06-21 | 2001-05-21 | 2001-04-21 | 2001-03-21 | 2001-02-21 | 2001-01-21 | 2000-12-21 | 2000-11-21 | 2000-10-21 | 2000-09-21 | 2000-08-21 | 2000-07-21 | 2000-06-21 | 2000-05-21 | 2000-04-21 | 2000-03-21 | 2000-02-21 | 2000-01-21 | 1999-12-21

Key: Value:

MESSAGE

DATE	2024-02-18
FROM	Joe Schaefer
SUBJECT	Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to
From hangout-bounces-at-nylxs.com Sun Feb 18 23:56:25 2024 Return-Path: X-Original-To: archive-at-mrbrklyn.com Delivered-To: archive-at-mrbrklyn.com Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82]) by mrbrklyn.com (Postfix) with ESMTP id E404D164174; Sun, 18 Feb 2024 23:56:23 -0500 (EST) X-Original-To: hangout-at-www2.mrbrklyn.com Delivered-To: hangout-at-www2.mrbrklyn.com Received: by mrbrklyn.com (Postfix, from userid 1000) id CAB8A1640CF; Sun, 18 Feb 2024 23:46:34 -0500 (EST) Resent-From: Ruben Safir Resent-Date: Sun, 18 Feb 2024 23:46:33 -0500 Resent-Message-ID: <20240219044633.GN20445-at-www2.mrbrklyn.com> Resent-To: hangout-at-mrbrklyn.com X-Original-To: ruben-at-mrbrklyn.com Delivered-To: ruben-at-mrbrklyn.com Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.apache.org", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mrbrklyn.com (Postfix) with ESMTPS id DC4911640A3 for ; Sun, 18 Feb 2024 16:43:09 -0500 (EST) Received: from mail.apache.org (mailgw-he-de.apache.org [116.203.246.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with ESMTPS id E802A4563F for ; Sun, 18 Feb 2024 21:43:08 +0000 (UTC) Received: (qmail 1446407 invoked by uid 998); 18 Feb 2024 21:43:03 -0000 Mailing-List: contact modperl-help-at-perl.apache.org; run by ezmlm Precedence: bulk Delivered-To: mailing list modperl-at-perl.apache.org Received: (qmail 1446378 invoked by uid 116); 18 Feb 2024 21:43:02 -0000 Received: from spamproc1-he-de.apache.org (HELO spamproc1-he-de.apache.org) (116.203.196.100) by apache.org (qpsmtpd/0.94) with ESMTP; Sun, 18 Feb 2024 21:43:02 +0000 Authentication-Results: apache.org; auth=none Received: from localhost (localhost [127.0.0.1]) by spamproc1-he-de.apache.org (ASF Mail Server at spamproc1-he-de.apache.org) with ESMTP id C58011FFAC6 for ; Sun, 18 Feb 2024 21:43:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamproc1-he-de.apache.org X-Spam-Flag: NO X-Spam-Score: -5 X-Spam-Level: X-Spam-Status: No, score=-5 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamproc1-he-de.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=sunstarsys.com Received: from mx1-he-de.apache.org ([116.203.227.195]) by localhost (spamproc1-he-de.apache.org [116.203.196.100]) (amavisd-new, port 10024) with ESMTP id O85PFv2EQhXn for ; Sun, 18 Feb 2024 21:43:00 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::52d; helo=mail-pg1-x52d.google.com; envelope-from=joe-at-sunstarsys.com; receiver= Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 366477E61A for ; Sun, 18 Feb 2024 21:43:00 +0000 (UTC) Received: by mail-pg1-x52d.google.com with SMTP id 41be03b00d2f7-5dcc4076c13so1854389a12.0 for ; Sun, 18 Feb 2024 13:43:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sunstarsys.com; s=google; t=1708292573; x=1708897373; darn=perl.apache.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XQ6jzBJ2c/N3h4mGdc+heSaxlDSSRDQME/ofZAAIeaU=; b=bpdvkRHjLjqM9J2srVdNryIUUVra+F9BLNQZEiYthwisW/1Np5rPJZU8OTRRddZPU8 2iVapfWT1PIjCN+D/brDLn1CHLmI8Q+dvq56f9VWkLTU+VjBQCdSOfmwikOKbSFs4c6k yBQcyGVizCoevDLdJqgv3oJZYgXIO/r25l/tDtVYSw9OikV0d5b76JY2TIdPt9jeq63k pYEcrNLWc0lqCPPfAsVP/CF782AdniB/MGConKSJQiz/ie3Qel/rBOXsFUOkegU/L6PZ 8c8fW1pwbETRiqbw7+NB6TBQBqBoLsx8Ph6iLaIKSDhiRGxEnfsMOIvZDqGn7Ci+zOKF 4Eog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708292573; x=1708897373; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XQ6jzBJ2c/N3h4mGdc+heSaxlDSSRDQME/ofZAAIeaU=; b=Vz0QITQI/xyGp/F9eildRQ/DL8D982RkRUzmDzLgyJzObi9MmnnI7Y9O78ghe0OTGt x9Exij2pupYfmhIv52JohdEPMhkks/FB+AGhDMdDJgyUrej8AH8/JgK1FFMi476sz4OA FqEdIMgqFxc8izHqsqQv7fpgODcKcC+WYzwmxLEXearODS2BzSWyOSJGqPUW7EqmxwgZ +Gs51JzVKw31q6qlCzXWTRdHuR/hLR1ba0DtgnjGdEqew3iX1eliCi8mJ493Np8tNLL0 T8tY4cA3b1KtoY96y9oKC6jdqwPTza685G+Ny1pLDE6GqAekAVSeH5J4f/Uin6n9z8XG kz7w== X-Gm-Message-State: AOJu0YzJ9/lBaet1vVgLqhnL0uc2LsBQts27AosvBQjcQKtbDMJNJGLy h6qxrMHJ2EPqeK4F4MMRIFhxYR6cqxO7VJoOw827/CKNyhzh/UGMaGqhY/BqbfemJSBbYPFGfau ctT4Q7hkJO3Jh44/UUPWPow67tPO95OpGs+11VQ== X-Google-Smtp-Source: AGHT+IE/1rKQgOnTHdStL3/QUFur+rCEbOFLW+YNUhLMMPTnrDI3I5XKU9kuMhqM7dJdbzIventi9B3gVIDqEnOMk5c= X-Received: by 2002:a17:90a:c41:b0:297:12da:505d with SMTP id u1-20020a17090a0c4100b0029712da505dmr18552417pje.8.1708292572715; Sun, 18 Feb 2024 13:42:52 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Joe Schaefer Date: Sun, 18 Feb 2024 16:42:42 -0500 Message-ID: To: Mithun Bhattacharya Cc: mod_perl list Subject: Re: [Hangout - NYLXS] HTTPd Devs Considered Harmful to Apache2::Request users X-BeenThere: hangout-at-nylxs.com X-Mailman-Version: 2.1.30rc1 List-Id: NYLXS Tech Talk and Politics List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============1776805377==" Errors-To: hangout-bounces-at-nylxs.com Sender: "Hangout" --===============1776805377== Content-Type: multipart/alternative; boundary="000000000000f82f850611aedbe8" --000000000000f82f850611aedbe8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Would you trust any of them at this point? I have a copy of svn trunk. I will never use anything they release, no matter what they call it. Joe Schaefer, Ph.D. Orion - The Enterprise Jamstack Wiki > 954.253.3732 On Sun, Feb 18, 2024 at 4:41=E2=80=AFPM Mithun Bhattacharya om> wrote: > So it will be moved to retired I assume or are they going to break their > own rules and purge it altogether? > > > On Sun, Feb 18, 2024, 3:33=E2=80=AFPM Joe Schaefer w= rote: > >> 2.18 will never be released. They are shutting down the project. >> >> Joe Schaefer, Ph.D. >> >> Orion - The Enterprise Jamstack Wiki >> >> >> 954.253.3732 >> >> >> >> >> On Sun, Feb 18, 2024 at 4:32=E2=80=AFPM Mithun Bhattacharya l.com> >> wrote: >> >>> Could you clarify this - 2.17 has a critical bug and 2.18 is about to >>> come out which doesn't have a good enough patch so how would trunk be a= ny >>> better? >>> >>> Also how is this passing make test or were the test cases modified to >>> make the bug pass ? >>> >>> >>> On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer = wrote: >>> >>>> Trunk is the safe bet. >>>> >>>> Joe Schaefer, Ph.D. >>>> >>>> Orion - The Enterprise Jamstack Wiki >>>> >>>> >>>> 954.253.3732 >>>> >>>> >>>> >>>> >>>> On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya ail.com> >>>> wrote: >>>> >>>>> So is there a cleaner/saner version of libapreq2 or is the 2012 >>>>> version better ? >>>>> >>>>> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer om> >>>>> wrote: >>>>> >>>>>> For the past 25 years, I have been the lead developer of the >>>>>> libapreq2 subproject within the Apache HTTPd Server Parent Project. = The >>>>>> original idea of libapreq as a safe/performant HTML form and Cookie = parsing >>>>>> library came out of a collaboration between Lincoln Stein and Doug >>>>>> MacEachern in the late 90s. >>>>>> >>>>>> It was my vision back then to transform the library into a generic, >>>>>> non-Perl related C library that would support language bindings from= other >>>>>> programming languages, which is why I pushed for the project to be h= omes >>>>>> under the HTTPd umbrella instead of the Apache-Perl project. >>>>>> >>>>>> While this vision was wildly successful, with language bindings >>>>>> available for several languages like Perl, TCL, R, etc, ever since a= bout >>>>>> 2010 its proven tragic for the existing user community consisting of= all of >>>>>> them, not just Perl. >>>>>> >>>>>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at >>>>>> the time, started agitating that we promote the project to be releas= ed from >>>>>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very= well back then >>>>>> was how utterly vapid and territorial that team had become, which wo= uld >>>>>> have meant having to collaborate with them directly on user-facing >>>>>> decisions about the code base. >>>>>> >>>>>> In 2012, Philip got what he wanted and I stopped resisting, so he >>>>>> forked the existing project and copied the C library components into= HTTPd >>>>>> core. >>>>>> >>>>>> In 2016 I resigned from the Foundation en masse. You can guess the >>>>>> reasons. >>>>>> >>>>>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an a= lpha >>>>>> release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It fou= nd a >>>>>> few hotspots that needed repair. >>>>>> >>>>>> Instead of having the courtesy of reaching out to me, or anyone else >>>>>> involved in development of apreq, a junior engineer on the HTTPd tea= m went >>>>>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabiliti= es Google found. You >>>>>> can see a record of his trial and error work in every release since = then. >>>>>> >>>>>> But the coup de grace was the 2022 release of 2.17, wherein the >>>>>> rookie developer purposely introduced a fatal bug into the codebase, >>>>>> breaking a fifteen year old regression test. >>>>>> >>>>>> If you are wondering how something with a broken regression test >>>>>> winds up on CPAN, you=E2=80=99ll have to look into how RELENG is don= e in the server >>>>>> project. >>>>>> >>>>>> Long story short, they commented out the test and shipped it anyway, >>>>>> and called it a Security Release that fixed a vulnerability every pr= ior >>>>>> release was susceptible to. >>>>>> >>>>>> Why do I care now? Because I=E2=80=99m the sucker users reach out to= for >>>>>> answers as a known subject matter expert. >>>>>> >>>>>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing t= he >>>>>> Superman cape at Apache ended 8 years ago. >>>>>> >>>>>> -- >>>>>> Joe Schaefer, Ph.D. >>>>>> >>>>>> Orion - The Enterprise Jamstack Wiki >>>>>> >>>>>> >>>>>> 954.253.3732 >>>>>> >>>>>> >>>>>> --000000000000f82f850611aedbe8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Would you trust any of them at this point? =3D"auto"> I have a copy of svn trunk.=C2=A0 I w= ill never use anything they release, no matter what they call it. =3D"all"> l_signature" data-smartmail=3D"gmail_signature"> Joe Schaef= er, Ph.D. target=3D"_blank">orK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1H= n4"> =3D"_blank">Orion - The Enterprise Jamstack Wiki v><joe-at-sunstarsy= s.com> 95= 4.253.3732 <= /div> tr" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 4:41=E2=80=AFPM Mithun Bha= ttacharya <mithnb-at-gmail.com> = wrote: x;border-left:1px #ccc solid;padding-left:1ex"> So it= will be moved to retired I assume or are they going to break their own rul= es and purge it altogether? class=3D"gmail_quote"> On Sun, Feb 18,= 2024, 3:33=E2=80=AFPM Joe Schaefer <m" target=3D"_blank">joe-at-sunstarsys.com> wrote: class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli= d;padding-left:1ex"> 2.18 will never be released. They are= shutting down the project. r=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_signature"> dir=3D"ltr">Joe Schaefer, Ph.D. ys.com/orion/features" rel=3D"noreferrer" target=3D"_blank">ps://ci3.googleusercontent.com/mail-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb= 2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> ps://sunstarsys.com/orion/features" rel=3D"noreferrer" target=3D"_blank">Or= ion - The Enterprise Jamstack Wiki <=3D"mailto:joe-at-sunstarsys.com" rel=3D"noreferrer" target=3D"_blank">joe-at-sun= starsys.com> rer" target=3D"_blank">954.253.3732 = mail_quote"> On Sun, Feb 18, 2024 at 4= :32=E2=80=AFPM Mithun Bhattacharya <rel=3D"noreferrer" target=3D"_blank">mithnb-at-gmail.com> wrote: iv> :1px #ccc solid;padding-left:1ex"> Could you clarify = this - 2.17 has a critical bug and 2.18 is about to come out which doesn= 9;t have a good enough patch so how would trunk be any better? r=3D"auto"> Also how is this passing make test o= r were the test cases modified to make the bug pass ? =3D"auto"> > On Sun, Feb 18, 2024, 1:12=E2=80=AFP= M Joe Schaefer < target=3D"_blank">joe-at-sunstarsys.com> wrote: lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;= padding-left:1ex"> Trunk is the safe bet. > rtmail=3D"gmail_signature"> Joe Schaefer, Ph.D. <= div>eferrer" target=3D"_blank">il-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3H= BrV6fAW1Hn4"> s" rel=3D"noreferrer noreferrer" target=3D"_blank">Orion - The Enterprise J= amstack Wiki <ys.com" rel=3D"noreferrer noreferrer" target=3D"_blank">joe-at-sunstarsys.com<= /a>> er" target=3D"_blank">954.253.3732 <= /div> ail_quote"> On Sun, Feb 18, 2024 at 2:= 11=E2=80=AFPM Mithun Bhattacharya <el=3D"noreferrer noreferrer" target=3D"_blank">mithnb-at-gmail.com> wro= te: order-left:1px #ccc solid;padding-left:1ex"> So is there a= cleaner/saner version of libapreq2 or is the 2012 version better ? r> On Sun, = Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer <arsys.com" rel=3D"noreferrer noreferrer" target=3D"_blank">joe-at-sunstarsys.c= om> wrote: n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> = ;font-size:13.3333px;background-color:rgb(246,246,239)">For the past 25 yea= rs, I have been the lead developer of the libapreq2 subproject within the A= pache HTTPd Server Parent Project. The original idea of libapreq as a safe/= performant HTML form and Cookie parsing library came out of a collaboration= between Lincoln Stein and Doug MacEachern in the late 90s. =3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:= 13.3333px;background-color:rgb(246,246,239)">It was my vision back then to = transform the library into a generic, non-Perl related C library that would= support language bindings from other programming languages, which is why I= pushed for the project to be homes under the HTTPd umbrella instead of the= Apache-Perl project. dana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239= )">While this vision was wildly successful, with language bindings availabl= e for several languages like Perl, TCL, R, etc, ever since about 2010 its p= roven tragic for the existing user community consisting of all of them, not= just Perl. a,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">What ha= ppened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the time, start= ed agitating that we promote the project to be released from inside the HTT= Pd server itself. What Philip didn=E2=80=99t know very well back then was h= ow utterly vapid and territorial that team had become, which would have mea= nt having to collaborate with them directly on user-facing decisions about = the code base. neva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 2= 012, Philip got what he wanted and I stopped resisting, so he forked the ex= isting project and copied the C library components into HTTPd core. tyle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-s= ize:13.3333px;background-color:rgb(246,246,239)">In 2016 I resigned from th= e Foundation en masse. You can guess the reasons. 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=99s Security Tea= m took advantage of an alpha release of httpd 2.5 by fuzzing its 8 year old= copy of apreq. It found a few hotspots that needed repair. color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3= 333px;background-color:rgb(246,246,239)">Instead of having the courtesy of = reaching out to me, or anyone else involved in development of apreq, a juni= or engineer on the HTTPd team went about the business of =E2=80=9Cbug fixin= g=E2=80=9D the vulnerabilities Google found. You can see a record of his tr= ial and error work in every release since then. 0,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgr= ound-color:rgb(246,246,239)">But the coup de grace was the 2022 release of = 2.17, wherein the rookie developer purposely introduced a fatal bug into th= e codebase, breaking a fifteen year old regression test. or:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333= px;background-color:rgb(246,246,239)">If you are wondering how something wi= th a broken regression test winds up on CPAN, you=E2=80=99ll have to look i= nto how RELENG is done in the server project. 130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">Long story short, they commented out the test an= d shipped it anyway, and called it a Security Release that fixed a vulnerab= ility every prior release was susceptible to. 130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">Why do I care now? Because I=E2=80=99m the sucke= r users reach out to for answers as a known subject matter expert. yle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-si= ze:13.3333px;background-color:rgb(246,246,239)">This sucks, but I=E2=80=99m= sorry to tell you that my days wearing the Superman cape at Apache ended 8= years ago. -- pan> signature"> Joe Schaefer, Ph.D. ttps://sunstarsys.com/orion/features" rel=3D"noreferrer noreferrer noreferr= er" target=3D"_blank">g/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6f= AW1Hn4"> l=3D"noreferrer noreferrer noreferrer" target=3D"_blank">Orion - The Enterp= rise Jamstack Wiki <nstarsys.com" rel=3D"noreferrer noreferrer noreferrer" target=3D"_blank">jo= e-at-sunstarsys.com> referrer noreferrer noreferrer" target=3D"_blank">954.253.3732 v> --000000000000f82f850611aedbe8-- --===============1776805377== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout --===============1776805377==-- --===============1776805377== Content-Type: multipart/alternative; boundary="000000000000f82f850611aedbe8" --000000000000f82f850611aedbe8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Would you trust any of them at this point? I have a copy of svn trunk. I will never use anything they release, no matter what they call it. Joe Schaefer, Ph.D. Orion - The Enterprise Jamstack Wiki > 954.253.3732 On Sun, Feb 18, 2024 at 4:41=E2=80=AFPM Mithun Bhattacharya om> wrote: > So it will be moved to retired I assume or are they going to break their > own rules and purge it altogether? > > > On Sun, Feb 18, 2024, 3:33=E2=80=AFPM Joe Schaefer w= rote: > >> 2.18 will never be released. They are shutting down the project. >> >> Joe Schaefer, Ph.D. >> >> Orion - The Enterprise Jamstack Wiki >> >> >> 954.253.3732 >> >> >> >> >> On Sun, Feb 18, 2024 at 4:32=E2=80=AFPM Mithun Bhattacharya l.com> >> wrote: >> >>> Could you clarify this - 2.17 has a critical bug and 2.18 is about to >>> come out which doesn't have a good enough patch so how would trunk be a= ny >>> better? >>> >>> Also how is this passing make test or were the test cases modified to >>> make the bug pass ? >>> >>> >>> On Sun, Feb 18, 2024, 1:12=E2=80=AFPM Joe Schaefer = wrote: >>> >>>> Trunk is the safe bet. >>>> >>>> Joe Schaefer, Ph.D. >>>> >>>> Orion - The Enterprise Jamstack Wiki >>>> >>>> >>>> 954.253.3732 >>>> >>>> >>>> >>>> >>>> On Sun, Feb 18, 2024 at 2:11=E2=80=AFPM Mithun Bhattacharya ail.com> >>>> wrote: >>>> >>>>> So is there a cleaner/saner version of libapreq2 or is the 2012 >>>>> version better ? >>>>> >>>>> On Sun, Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer om> >>>>> wrote: >>>>> >>>>>> For the past 25 years, I have been the lead developer of the >>>>>> libapreq2 subproject within the Apache HTTPd Server Parent Project. = The >>>>>> original idea of libapreq as a safe/performant HTML form and Cookie = parsing >>>>>> library came out of a collaboration between Lincoln Stein and Doug >>>>>> MacEachern in the late 90s. >>>>>> >>>>>> It was my vision back then to transform the library into a generic, >>>>>> non-Perl related C library that would support language bindings from= other >>>>>> programming languages, which is why I pushed for the project to be h= omes >>>>>> under the HTTPd umbrella instead of the Apache-Perl project. >>>>>> >>>>>> While this vision was wildly successful, with language bindings >>>>>> available for several languages like Perl, TCL, R, etc, ever since a= bout >>>>>> 2010 its proven tragic for the existing user community consisting of= all of >>>>>> them, not just Perl. >>>>>> >>>>>> What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at >>>>>> the time, started agitating that we promote the project to be releas= ed from >>>>>> inside the HTTPd server itself. What Philip didn=E2=80=99t know very= well back then >>>>>> was how utterly vapid and territorial that team had become, which wo= uld >>>>>> have meant having to collaborate with them directly on user-facing >>>>>> decisions about the code base. >>>>>> >>>>>> In 2012, Philip got what he wanted and I stopped resisting, so he >>>>>> forked the existing project and copied the C library components into= HTTPd >>>>>> core. >>>>>> >>>>>> In 2016 I resigned from the Foundation en masse. You can guess the >>>>>> reasons. >>>>>> >>>>>> In 2020 or so, Google=E2=80=99s Security Team took advantage of an a= lpha >>>>>> release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It fou= nd a >>>>>> few hotspots that needed repair. >>>>>> >>>>>> Instead of having the courtesy of reaching out to me, or anyone else >>>>>> involved in development of apreq, a junior engineer on the HTTPd tea= m went >>>>>> about the business of =E2=80=9Cbug fixing=E2=80=9D the vulnerabiliti= es Google found. You >>>>>> can see a record of his trial and error work in every release since = then. >>>>>> >>>>>> But the coup de grace was the 2022 release of 2.17, wherein the >>>>>> rookie developer purposely introduced a fatal bug into the codebase, >>>>>> breaking a fifteen year old regression test. >>>>>> >>>>>> If you are wondering how something with a broken regression test >>>>>> winds up on CPAN, you=E2=80=99ll have to look into how RELENG is don= e in the server >>>>>> project. >>>>>> >>>>>> Long story short, they commented out the test and shipped it anyway, >>>>>> and called it a Security Release that fixed a vulnerability every pr= ior >>>>>> release was susceptible to. >>>>>> >>>>>> Why do I care now? Because I=E2=80=99m the sucker users reach out to= for >>>>>> answers as a known subject matter expert. >>>>>> >>>>>> This sucks, but I=E2=80=99m sorry to tell you that my days wearing t= he >>>>>> Superman cape at Apache ended 8 years ago. >>>>>> >>>>>> -- >>>>>> Joe Schaefer, Ph.D. >>>>>> >>>>>> Orion - The Enterprise Jamstack Wiki >>>>>> >>>>>> >>>>>> 954.253.3732 >>>>>> >>>>>> >>>>>> --000000000000f82f850611aedbe8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Would you trust any of them at this point? =3D"auto"> I have a copy of svn trunk.=C2=A0 I w= ill never use anything they release, no matter what they call it. =3D"all"> l_signature" data-smartmail=3D"gmail_signature"> Joe Schaef= er, Ph.D. target=3D"_blank">orK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1H= n4"> =3D"_blank">Orion - The Enterprise Jamstack Wiki v><joe-at-sunstarsy= s.com> 95= 4.253.3732 <= /div> tr" class=3D"gmail_attr">On Sun, Feb 18, 2024 at 4:41=E2=80=AFPM Mithun Bha= ttacharya <mithnb-at-gmail.com> = wrote: x;border-left:1px #ccc solid;padding-left:1ex"> So it= will be moved to retired I assume or are they going to break their own rul= es and purge it altogether? class=3D"gmail_quote"> On Sun, Feb 18,= 2024, 3:33=E2=80=AFPM Joe Schaefer <m" target=3D"_blank">joe-at-sunstarsys.com> wrote: class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli= d;padding-left:1ex"> 2.18 will never be released. They are= shutting down the project. r=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_signature"> dir=3D"ltr">Joe Schaefer, Ph.D. ys.com/orion/features" rel=3D"noreferrer" target=3D"_blank">ps://ci3.googleusercontent.com/mail-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb= 2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6fAW1Hn4"> ps://sunstarsys.com/orion/features" rel=3D"noreferrer" target=3D"_blank">Or= ion - The Enterprise Jamstack Wiki <=3D"mailto:joe-at-sunstarsys.com" rel=3D"noreferrer" target=3D"_blank">joe-at-sun= starsys.com> rer" target=3D"_blank">954.253.3732 = mail_quote"> On Sun, Feb 18, 2024 at 4= :32=E2=80=AFPM Mithun Bhattacharya <rel=3D"noreferrer" target=3D"_blank">mithnb-at-gmail.com> wrote: iv> :1px #ccc solid;padding-left:1ex"> Could you clarify = this - 2.17 has a critical bug and 2.18 is about to come out which doesn= 9;t have a good enough patch so how would trunk be any better? r=3D"auto"> Also how is this passing make test o= r were the test cases modified to make the bug pass ? =3D"auto"> > On Sun, Feb 18, 2024, 1:12=E2=80=AFP= M Joe Schaefer < target=3D"_blank">joe-at-sunstarsys.com> wrote: lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;= padding-left:1ex"> Trunk is the safe bet. > rtmail=3D"gmail_signature"> Joe Schaefer, Ph.D. <= div>eferrer" target=3D"_blank">il-sig/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3H= BrV6fAW1Hn4"> s" rel=3D"noreferrer noreferrer" target=3D"_blank">Orion - The Enterprise J= amstack Wiki <ys.com" rel=3D"noreferrer noreferrer" target=3D"_blank">joe-at-sunstarsys.com<= /a>> er" target=3D"_blank">954.253.3732 <= /div> ail_quote"> On Sun, Feb 18, 2024 at 2:= 11=E2=80=AFPM Mithun Bhattacharya <el=3D"noreferrer noreferrer" target=3D"_blank">mithnb-at-gmail.com> wro= te: order-left:1px #ccc solid;padding-left:1ex"> So is there a= cleaner/saner version of libapreq2 or is the 2012 version better ? r> On Sun, = Feb 18, 2024, 12:58=E2=80=AFPM Joe Schaefer <arsys.com" rel=3D"noreferrer noreferrer" target=3D"_blank">joe-at-sunstarsys.c= om> wrote: n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> = ;font-size:13.3333px;background-color:rgb(246,246,239)">For the past 25 yea= rs, I have been the lead developer of the libapreq2 subproject within the A= pache HTTPd Server Parent Project. The original idea of libapreq as a safe/= performant HTML form and Cookie parsing library came out of a collaboration= between Lincoln Stein and Doug MacEachern in the late 90s. =3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:= 13.3333px;background-color:rgb(246,246,239)">It was my vision back then to = transform the library into a generic, non-Perl related C library that would= support language bindings from other programming languages, which is why I= pushed for the project to be homes under the HTTPd umbrella instead of the= Apache-Perl project. dana,Geneva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239= )">While this vision was wildly successful, with language bindings availabl= e for several languages like Perl, TCL, R, etc, ever since about 2010 its p= roven tragic for the existing user community consisting of all of them, not= just Perl. a,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">What ha= ppened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the time, start= ed agitating that we promote the project to be released from inside the HTT= Pd server itself. What Philip didn=E2=80=99t know very well back then was h= ow utterly vapid and territorial that team had become, which would have mea= nt having to collaborate with them directly on user-facing decisions about = the code base. neva,sans-serif;font-size:13.3333px;background-color:rgb(246,246,239)">In 2= 012, Philip got what he wanted and I stopped resisting, so he forked the ex= isting project and copied the C library components into HTTPd core. tyle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-s= ize:13.3333px;background-color:rgb(246,246,239)">In 2016 I resigned from th= e Foundation en masse. You can guess the reasons. 130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;back= ground-color:rgb(246,246,239)">In 2020 or so, Google=E2=80=99s Security Tea= m took advantage of an alpha release of httpd 2.5 by fuzzing its 8 year old= copy of apreq. It found a few hotspots that needed repair. color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3= 333px;background-color:rgb(246,246,239)">Instead of having the courtesy of = reaching out to me, or anyone else involved in development of apreq, a juni= or engineer on the HTTPd team went about the business of =E2=80=9Cbug fixin= g=E2=80=9D the vulnerabilities Google found. You can see a record of his tr= ial and error work in every release since then. 0,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgr= ound-color:rgb(246,246,239)">But the coup de grace was the 2022 release of = 2.17, wherein the rookie developer purposely introduced a fatal bug into th= e codebase, breaking a fifteen year old regression test. or:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333= px;background-color:rgb(246,246,239)">If you are wondering how something wi= th a broken regression test winds up on CPAN, you=E2=80=99ll have to look i= nto how RELENG is done in the server project. 130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">Long story short, they commented out the test an= d shipped it anyway, and called it a Security Release that fixed a vulnerab= ility every prior release was susceptible to. 130,130);font-family:Verdana,Geneva,sans-serif;font-size:13.3333px;backgrou= nd-color:rgb(246,246,239)">Why do I care now? Because I=E2=80=99m the sucke= r users reach out to for answers as a known subject matter expert. yle=3D"color:rgb(130,130,130);font-family:Verdana,Geneva,sans-serif;font-si= ze:13.3333px;background-color:rgb(246,246,239)">This sucks, but I=E2=80=99m= sorry to tell you that my days wearing the Superman cape at Apache ended 8= years ago. -- pan> signature"> Joe Schaefer, Ph.D. ttps://sunstarsys.com/orion/features" rel=3D"noreferrer noreferrer noreferr= er" target=3D"_blank">g/AIorK4znBF_TAme6pCiav9cgwbIEHDJwyXb2f2Ymw0uY-9ZKx45P_KcsYtcI8RGqtr3HBrV6f= AW1Hn4"> l=3D"noreferrer noreferrer noreferrer" target=3D"_blank">Orion - The Enterp= rise Jamstack Wiki <nstarsys.com" rel=3D"noreferrer noreferrer noreferrer" target=3D"_blank">jo= e-at-sunstarsys.com> referrer noreferrer noreferrer" target=3D"_blank">954.253.3732 v> --000000000000f82f850611aedbe8-- --===============1776805377== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout --===============1776805377==--