Slashdot Mirror

RBL subscriptions are entirely optional. Nothing, aside from taking the time to set it up, is stopping you from setting up your own mail server with SpamAssassin and/or various other filtering options controlled exclusively by you. Like anything, it's not perfect, but in my ten years of using it, it's proven to be immensely effective. With freedom comes responsibility and work.

I don't use Facebook at all, and I'm not about to start any time soon. Anything private gets sent via GPG/PGP encrypted mail. I've helped quite a few people configure their mail clients to support PKI, and all it cost me was a bit of time. Yes, that takes a little bit of effort, but with freedom comes responsibility and work.

As for the XMPP points, as long as you're operating your own XMPP server (which is incredibly easy), you're not depending on a monopoly. While others may indeed be using mass market services that offer XMPP functionality, that's their choice, and if you feel like it you can teach family and friends how to operate their own servers as well. With freedom comes responsibility and work.

Regarding IP numbers, go ahead and get your own allocation from ARIN (or whoever your RIR happens to be). It's not that difficult, and if you want to go ahead and get an IPv6 allocation, you're going to have more IPs right off the bat than you'll know what to do with. You can then either help others understand why IPv6 is awesome, or wait until adoption becomes more widespread, or use 6-to-4 gateways, or a combination thereof. Sure, IP space isn't free of charge, but it's a fixed cost, and there's no such thing as a free lunch. Freedom to do what you want does not necessarily imply freedom from monetary cost.

For domain names, which of course aren't even strictly necessary for Internet communications, you have many options for registrars. Some are better than others. Some cost more, some cost less. Some are known for great service, and some are known for people like Bob Parsons, who I'd love to drag into a field and beat senseless. If you don't like the usual suspects for TLDs, you're free to choose a registrar in Whothefuckknowswhereitisistan if you like. With freedom comes responsibility and work.

Now, after saying all this, you're also totally free to set up something completely different that you exclusively control and convince other people to use it. However, that will probably cost you a lot more than everything described here, and then you have a completely different problem. The single point of control will indeed be you, with all the issues that entails. With freedom comes responsibility and work.

Human beings live in societies. To some extent, you will always be dependent on goods and services from someone else if you want to participate in society. You also have the option of living in a shack in the frozen north. You can probably guess what I'm going to say next.

You don't need "all the new syntax" to start using C++11, many of most useful additions are already in all major compilers and have been there since the times when C++11 was known as C++0x and C++ TR1. Current GCC is missing only a few features.

CouchDB has native map-reduce indexing of arbitrary fields of the stored data. Doesn't appear to be anything new here in that regard.

no, it isn't right to use these quotes when Apache 2.2 (which is what is currently available for production) gets destroyed by nginx / lighty in specific tasks by upto 800%.

Apache 2.4.1 is the version currently available for production, but don't let pesky things like facts stop you.

Great, a major LO upgrade. That means I download it, install it, and see how many minutes it takes me before I hit a large enough Office compatibility snag that makes me delete it and swear off giving it another shot.

Instead of swearing it off, get in touch with me and we will file bugs. Sure, it might take a year or three until they are fixed, but most of them _do_ get fixed in LibreOffice. I would say that the last year in LO has closed more of my bugs than the past five years of OpenOffice.org, including one very critical bug that has been open for almost _ten_years_:
https://issues.apache.org/ooo/show_bug.cgi?id=5556

Fixed in LO six months after filing:
https://bugs.freedesktop.org/show_bug.cgi?id=37978

You can contact me here, please have a file that demonstrates the issue handy or clear reproduction instructions:
http://dotancohen.com/eng/message.php

Thanks.

every bit of hiding (obscuring) information helps

"security through obscurity" is sometimes implemented in addition to authentication as part of "defense in depth"

an example of this (which fits the accepted meaning of "security by obscurity") is setting the "ServerTokens" directive in "/etc/apache2/conf.d/security" to "Prod" so as to hide the Apache version number in the default error pages... many webmasters do this, but only in addition to other security measures as required (not as their primary security measure). While not usually that much of an issue for up-to-date servers, setting "ServerTokens" to "Full" can help a potential hacker use exploits known for a version of Apache (a server in a datacenter might be updated on a schedule rather than whenever updates are released). If hackers can see your Apache version, they can look up the vulnerabilities for that version (below) and bust in.

http://httpd.apache.org/security/vulnerabilities_20.html

I use Java as my language of choice (because I know it and there are tons of libraries available.)

For web sites that are use by people, I use Apache Tapestry 5 as the web framework. It's very easy to use, integrates with Hibernate, is very fast and makes me very productive. I find that I can write nice looking pages that work well in a very short amount of time. I end up writing very little actual code, so maintenance is easy. Live class reloading is a major plus, I just edit my page or Java class, hit save and the changes are ready to be used in my browser.

However, there are many other Java web frameworks to chose from based on what you like best. Java is a bit bloated, but it's pretty fast and stable. And there are libraries for almost anything. (I generate PDFs, for example, using iText and everything works very well together.)

I use Eclipse for my IDE, which while it could be faster and less bloated, seems to work pretty well.

If you want to focus entirely on web services (e.g. SOAP or REST), then there are easier solutions for that in the Java world. (I use JAXB annotations with Jersey for REST services.) For SOAP I'd use Apache CXF based on what I've read. You can integrate both of these with Tapestry and Hibernate to create a cohesive web platform.

I use Java as my language of choice (because I know it and there are tons of libraries available.)

For web sites that are use by people, I use Apache Tapestry 5 as the web framework. It's very easy to use, integrates with Hibernate, is very fast and makes me very productive. I find that I can write nice looking pages that work well in a very short amount of time. I end up writing very little actual code, so maintenance is easy. Live class reloading is a major plus, I just edit my page or Java class, hit save and the changes are ready to be used in my browser.

However, there are many other Java web frameworks to chose from based on what you like best. Java is a bit bloated, but it's pretty fast and stable. And there are libraries for almost anything. (I generate PDFs, for example, using iText and everything works very well together.)

I use Eclipse for my IDE, which while it could be faster and less bloated, seems to work pretty well.

If you want to focus entirely on web services (e.g. SOAP or REST), then there are easier solutions for that in the Java world. (I use JAXB annotations with Jersey for REST services.) For SOAP I'd use Apache CXF based on what I've read. You can integrate both of these with Tapestry and Hibernate to create a cohesive web platform.

Yes, you are missing http://svn.apache.org/repos/asf/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml which means it has not yet been released.

Couldn't this be solved easily & quickly by limiting the NUMBER of parameters accepted? (in the parse phase, prior to them being hashed) ?

Yup. That is exactly what the Apache Tomcat people are doing: https://mail-archives.apache.org/mod_mbox/www-announce/201112.mbox/%3C4EFB9800.5010106@apache.org%3E
In short, sloppy programming.

Apache 2.2.15 was released 3/6/10.
Apache 2.2.21 was released 9/13/11.

So yeah, they were almost 2 years out of date.

Apache 2.2.15 was released 3/6/10.
Apache 2.2.21 was released 9/13/11.

So yeah, they were almost 2 years out of date.

Compression savings is a good reason to run Apache's mod_deflate

Unless a lot of things about this project change it is pretty much doomed. (Well, doomed to be ignored by everybody outside of IBM; they can finance their own Symphony devs, but nothing else will come of this unless things change.)

If you glance at the Apache openoffice mailing lists, a few things become clear:

• Rob Weir, who is basically running the show and who seems like a perfectly reasonable person from his blog, acts like a caustic, sarcastic, and poorly socialized adolescent in communicating with other developers. He's alienating people right and left. People have tried to get him to stop, but he either ignores it or just acts like it's those he's offended who are to blame for any unpleasantness.
• Due to Rob's attitude and other unfortunate factors, any chance of gaining cooperation from anyone who's been involved in LibreOffice has pretty much evaporated. If there'd been a little bit of diplomacy, I bet a lot of people would have been OK with dual-licensing their patches for Apache OO to use as well, and the two projects could have gotten a lot of mutually beneficial effort in support, security, localization, language tools, and extensions; AOO folks have instead opted to prioritize insulting LibreOffice folks over getting anything done.
• They tore a lot of functionality out of OpenOffice for their license compliance crusade. I can understand that they can't ship copylefted code, but tearing out the use of LGPL'ed libraries seems kind of ridiculous. (For me personally, the loss of WordPerfect import is going to force me to LibreOffice.)
• Apache OpenOffice 3.4 won't be released until the middle of next year-- the first OO release since this January, with relatively little improvement over OO 3.3 and a fair bit of missing functionality-- LibreOffice will have gone through three "major" releases and another dozen point releases, fixing a lot of bugs, refactoring a lot of code, and introducing a few new features. AOO will have taken roughly a full year (June 2011-2012) to make their first code shipment and people will have long since moved on.

I really wanted to see Apache OpenOffice succeed and become the main branch; I think that for a project like OO, having either a permissive license or copyright assignment to a well-governed nonprofit (as with GNU software) is a really wise idea. But I can't see them making much progress as things stand.

Unless a lot of things about this project change it is pretty much doomed. (Well, doomed to be ignored by everybody outside of IBM; they can finance their own Symphony devs, but nothing else will come of this unless things change.)

If you glance at the Apache openoffice mailing lists, a few things become clear:

• Rob Weir, who is basically running the show and who seems like a perfectly reasonable person from his blog, acts like a caustic, sarcastic, and poorly socialized adolescent in communicating with other developers. He's alienating people right and left. People have tried to get him to stop, but he either ignores it or just acts like it's those he's offended who are to blame for any unpleasantness.
• Due to Rob's attitude and other unfortunate factors, any chance of gaining cooperation from anyone who's been involved in LibreOffice has pretty much evaporated. If there'd been a little bit of diplomacy, I bet a lot of people would have been OK with dual-licensing their patches for Apache OO to use as well, and the two projects could have gotten a lot of mutually beneficial effort in support, security, localization, language tools, and extensions; AOO folks have instead opted to prioritize insulting LibreOffice folks over getting anything done.
• They tore a lot of functionality out of OpenOffice for their license compliance crusade. I can understand that they can't ship copylefted code, but tearing out the use of LGPL'ed libraries seems kind of ridiculous. (For me personally, the loss of WordPerfect import is going to force me to LibreOffice.)
• Apache OpenOffice 3.4 won't be released until the middle of next year-- the first OO release since this January, with relatively little improvement over OO 3.3 and a fair bit of missing functionality-- LibreOffice will have gone through three "major" releases and another dozen point releases, fixing a lot of bugs, refactoring a lot of code, and introducing a few new features. AOO will have taken roughly a full year (June 2011-2012) to make their first code shipment and people will have long since moved on.

I really wanted to see Apache OpenOffice succeed and become the main branch; I think that for a project like OO, having either a permissive license or copyright assignment to a well-governed nonprofit (as with GNU software) is a really wise idea. But I can't see them making much progress as things stand.

Just imagine, soon we can run a webserver on Windows, and even use PHP! Soon we can even have an open source database on windows. Not to mention an open source office suite! All thanks to the windows 8 store! /sarcasm.

Seriously, why on earth is this news? Windows is not incompatible with open source, you know... Just download and install. Or will MS try to lock Win8 down so much that we seriously expect to get apps from the app store???
In which case: Tnxbutnotnx.

Heck, Apache HTTPd became the dominant web server without any support from major players.

http://www.apache.org/foundation/thanks.html

Looking at what Firefox has become, I'm not so sure. Sure, there are some good open source products, but they're usually backed by huge corporations like Google or Apple. They both contribute to Webkit and Chromium. Firefox comes from Netscape and is currently a joke. Apache is backed by huge companies.

Apart from those, are there actually open source projects that can compete with proprietary counterparts? Especially on less popular niches like industry products or games (even though games is a popular niche, but there still isn't any good open source games or game engines).

You mean like OODT ( ) ? or something more like iRODS ? Both are used by various 'big data' groups (NASA, NIH, NOAA, NOAO, super computing centers) to share data across multiple sites.

As for the indexes .... well, if science.gov and data.gov are any example, they could use some work. Although, hopefully in this case, you're describing bibliographic records, so the necessary metadata is a little more standardized.

In some cases, I'd be better to just put the records out there under standardized open APIs, and let interested parties make interfaces to the stuff they're interested.

Even Apache has a project called http://trafficserver.apache.org/ if performance is what you need.

Bad Joke of the day: What do you do if your http server is broken? Just apply A-patch-e!!! (sorry)

Thanks for cracking that hilariously funny joke in the end (for the millionth time)

http://wiki.apache.org/httpd/FAQ#Why_the_name_.22Apache.22.3F
https://en.wikipedia.org/wiki/Apache_HTTP_Server

It seems that Google Wave has be transferred to the Apache Foundation in some form.

http://incubator.apache.org/wave/

Still use it nearly every day. I was hoping they would open it up and my friends and I could host it on our own server

I have some good news - although they don't seem to actually have a really ready yet.

You could also run Wave yourself: Google has made it Open Source and it's now an Apache project: https://incubator.apache.org/wave/index.html

The GPL license is not copyleft. OpenJDK is GPL 2, as Harmony was Apache 2.

Apache 2 is GPL 3 compatible, but not GPL 2 compatible.

GPL compatible licenses
Apache GPL compatibility

??? I just got a note from my manager on "big data", and decided to take a look at Hadoop. I downloaded the latest stable release, set JAVA_HOME in the config file and ran the example program. Total time to having a working instance: about a half hour, which included five minutes or so to download the tarball. Did you not see this page?

This might explain it a little better:

link

The kernel is, and the rest is APACHE licensed which is a FREE license.
http://www.apache.org/licenses/LICENSE-2.0

Having said that, Hadoop's HDFS looks quite good. AFAIK it is pretty robust, and it runs on top of an existing FS so you won't need to repartition, which is useful. FUSE file system driver, and Java, will be a bit slower than in-kernel, but probably not an issue for bulk data storage.

HDFS is not a solution. It doesn't provide POSIX capabilities such as random writes and altering existing files. Although FUSE lets you mount it and make it look like a regular FS, you need to make sure apps that use it only use the features that it supports otherwise, the apps will start getting errors when doing disk operations and potentially going down in flames when they try to save files or some such thing.

If you have more than one server then it's pretty easy to set up rsync with rolling backups (rsnapshot or rdiff-backup or whatever) which is more of a proper backup solution. It's also probably a bit easier to administrate than a clusterfs.

Having said that, Hadoop's HDFS looks quite good. AFAIK it is pretty robust, and it runs on top of an existing FS so you won't need to repartition, which is useful. FUSE file system driver, and Java, will be a bit slower than in-kernel, but probably not an issue for bulk data storage.

Oh, and another option is the Distributed Replicated Block Device. Though this is basically network RAID and not replication on a per file basis.

You can use Apache Hadoop's HDFS. http://hadoop.apache.org/hdfs/ It is fairly simple to set up, very scalable, and it is very easy to set up a replication factor so that all your data is replicated 2, 3 or even more number of times across your cluster. It is used at many places for distributed computing, but I see no reason that it couldn't serve you well as a large personal file service.

They released the code under the Apache license, which includes a patent license in section 3.

#1 - this has been a topic of conversation for a while #2 - per documentation at apache (Yes, I dare say a majority of web servers are running apache) There is a flag that can turn renegotiation on/off http://httpd.apache.org/docs/2.0/mod/mod_ssl.html Available in httpd 2.0.64 and later, if using OpenSSL 0.9.8m or later The default setting is: SSLInsecureRenegotiation off #3 - which leads to the conclusion that this is overhyped.

These questions are answered in the Tomcat Connectors FAQ.

Re: your sig. You will find people withhold less information when you take the time to do research before asking FAQs. Paying them helps too ;-)

ASF will (IMO) take anything any company wants to foist upon it. Look at the RogueWave-contributed stdcxx project (a C++ standard library) that was receiving contributions from the Sun/Oracle compiler team. The developer mailing list has been virtually silent. It's a dead project now.

The last post was back in June about Pathscale forking it to simplify the development and contribution model. The June discussion is more telling if you realize that one of the participants (Teleman) is from Sun/Oracle.

I am very happy that I don't do C++ development on Solaris any more.

ASF will (IMO) take anything any company wants to foist upon it. Look at the RogueWave-contributed stdcxx project (a C++ standard library) that was receiving contributions from the Sun/Oracle compiler team. The developer mailing list has been virtually silent. It's a dead project now.

The last post was back in June about Pathscale forking it to simplify the development and contribution model. The June discussion is more telling if you realize that one of the participants (Teleman) is from Sun/Oracle.

I am very happy that I don't do C++ development on Solaris any more.

The article is conflating the Team OpenOffice, e.V. non profit with the OpenOffice.org open source project.

Team OpenOffice, e.V, was the fundraising arm of the OpenOffice.org project, set up as a non profit so they could legally raise funds for things like conferences. It was always independent of the open source project.

The OpenOffice.org open source project, the code, the trademarks, the domain name and the website, have moved to Apache, where work continues: http://incubator.apache.org/openofficeorg/

It looks like the Team OpenOffice, e.V. guys are publishing alarmist material in order to raise money. That is a standard fundraising technique. What about the children, the baby seals, the environment? Who will save them now that the big bad oil companies/loggers/tech corporations that are out to get them. Send money now or the kitten dies.

Sort of. It was built from patches a bunch of webmasters had made against NCSA httpd.
https://httpd.apache.org/ABOUT_APACHE.html

I develop web applications every day with PostgreSQL and Python, both very popular projects which originated in universities. I also depend on the ubiquitous Apache HTTP server which was originally a derivative of a university project. Both my development and production environments are GNU/Linux. GNU and Linux were not projects at universities, but they were non-commercial and inspired by experiences in universities.

Though Unix originated at AT&T, the additions from BSD have profound and lasting effects on all modern operating systems, especially Unix-like ones. The Internet was developed at universities and TCP/IP was originally implemented on BSD Unix.

Netcraft can only tell you what the server is configured to tell it.

See: http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
And: http://httpd.apache.org/docs/2.2/mod/core.html#serversignature
Or, if it's even Apache at all, consider: http://forum.lighttpd.net/topic/3887

Finally, even if you had the version of apache and the server wasn't lying to you, it's the OpenSSL and/or GNUtls library version you'd need to know to actually find out what's supportable, and that still doesn't tell you if the admin disabled specific protocol versions. (ie, Apache/1.3.42 (Unix) mod_perl/1.31 could probably be compiled against libssl 1.0.0 or 0.0.6 for all you know. Assuming it's not lighttpd configured to lie.)

The only way to know what version of SSL/TLS is supported is to connect and ask for decreasing versions until one is accepted.

Netcraft can only tell you what the server is configured to tell it.

See: http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
And: http://httpd.apache.org/docs/2.2/mod/core.html#serversignature
Or, if it's even Apache at all, consider: http://forum.lighttpd.net/topic/3887

Finally, even if you had the version of apache and the server wasn't lying to you, it's the OpenSSL and/or GNUtls library version you'd need to know to actually find out what's supportable, and that still doesn't tell you if the admin disabled specific protocol versions. (ie, Apache/1.3.42 (Unix) mod_perl/1.31 could probably be compiled against libssl 1.0.0 or 0.0.6 for all you know. Assuming it's not lighttpd configured to lie.)

The only way to know what version of SSL/TLS is supported is to connect and ask for decreasing versions until one is accepted.

From http://hadoop.apache.org/ The Apache Hadoop project develops open-source software for reliable, scalable, distributed computing. The Apache Hadoop software library is a framework that allows for the distributed processing of large data sets across clusters of computers using a simple programming model. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage. Rather than rely on hardware to deliver high-avaiability, the library itself is designed to detect and handle failures at the application layer, so delivering a highly-availabile service on top of a cluster of computers, each of which may be prone to failures.

Because the tools for packaging, dependency management and building are better than anything else around.

Have to disagree here. To be fair, I haven't actually built Java packages myself, but trying to get a Java library installed (with all dependencies) is much more annoying than installing a Ruby gem.

Apache Maven was built to solve this exact problem, and it does so extremely well... even if I do hate designing projects for it.

The article mentions a technicality in Apache's current contributor license agreement that appears to bar Apache from accepting public domain work because there is no copyright owner to grant an explicit copyright license.

The article mentions a technicality in Apache's current contributor license agreement that appears to bar Apache from accepting public domain work because there is no copyright owner to grant an explicit copyright license.

http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/%3C85111090-501E-4C80-AA8F-DD11B94FDF7C@apache.org%3E

* SECURITY: CVE-2011-3192 (cve.mitre.org)
  core: Fix handling of byte-range requests to use less memory, to avoid
  denial of service. If the sum of all ranges in a request is larger than
  the original file, ignore the ranges and send the complete file.
  PR 51714.

I remember reading how people had all sorts of ideas like sorting the ranges, ignoring gaps of less than 80 bytes, noticing that it went afoul of the standard. Around the same time nginx also did a release with the approach of sending back the entire file if the sum of the ranges was more. That was so simple, and it's okay according to RFC 2616 a server MAY ignore the range header, so it's clever too! Glad all the memory handling was fixed-up too though.

.htaccess files existed in since before 2000 what was your excuse

Excuse: AllowOverride None , as implemented by several shared hosting providers. A file named .htaccess will cause 500 Internal Server Error for any access in the same directory.

Oh, and -- sorry -- Apache security advisory.

Web servers run without root privileges so that the server isn't capable of doing overtly harmful things but you can still modify things that the web server is supposed to modify. That is, it can still mess it up.

If you want to give scripts a separately isolated area, you can use this: http://httpd.apache.org/docs/2.0/suexec.html File system permissions takes over from here.

I don't know too much about SQL servers, but couldn't you probably use kerberos or something instead of directly using database passwords?

The link in the blurb claiming to point to the advisory from Apache isn't correct.

The actual advisory from Apache notes that mod_deflate's presence is orthogonal (irrelevant) to the exploitability of this issue.

The correct link:

http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@minotaur.apache.org%3E