For OpenBSD, "No More Apache Updates"

joshmccormack writes "On June 6th Henning Brauer, an OpenBSD developer announced on one of the OpenBSD mailing lists that the version of Apache shipped with OpenBSD will stay with 1.3.29, due to Apache's license changes. There will be bug fixes, but no more updates. Discussion on blogs, websites and mailing lists on what's next bring up some interesting ideas and strong opinions. Difference of opinion and control have been catalysts to the growth of OpenBSD in the past. Will this be like the birth of pf in OpenBSD, or even the start of OpenBSD itself?"

Story: check..

[denisb]

Direct links: fail.
More info to read up on: fail.
Reference to the relevant list / list archive: fail.

Perhaps this story could be fleshed out a little ?
I'll google it or use some other news source to find more about this, but...

Re:Story: check..

[albalbo]

A link for you.

But you're right, it's a very content-free post.

Re:Story: check..

[nocomment]

no kidding!

Since I'm subscribed to the mailing list I've gotten to read all about it for the last couple days. Here's a link to the mailing list archive....here

A page to actually read more on this is here.

Re:Story: check..

[afabbro]

Content-free? You mean this doesn't explain everything? ;) "We've been clear: Their new license contains more stuff, and we do not accept MORE STUFF in licenses." - Theo

Re:Story: check..

[molnarcs]

You are right, a link or two might have helped. After googling a little, I found this announcment on undeadly.org

Re:Story: check..

[HyperbolicParabaloid]

If only this had been in the post, then the post might not have been so Atkins-friendly.

So what?

[Rick+the+Red]

It's not like we can't get Apache somewhere else. This is Yet Another Licensing Dispute, and the solution is -- as always -- to just download whatever you want to run on your own if it doesn't come bundled with the OS.

The only way this is even close to what happend with ipf/pf would be if the OpenBSD folks decided to write their own web server and release it under the BSD license, which isn't going to happen because they're OS folks, not web server folks.

Re:So what?

[the+morgawr]

While I agree with you, it is entirely possible that someone could take the OpenBSD version of Apache (which has a ton of security patches that never got added back to the main tree) and use it to make OpenHTTPD. If enough people and vendors were concerned about the license change, it could even become the new standard.

Re:So what?

[Pieroxy]

I think it is now time to fork once again OpenBSD. I'd suggest the new name to be OpenApacheBSD.

Cheers.

Re:So what?

[molnarcs]

It seems they might consider thttd (well, I'm at the part of the messages when someone brings it up). At first glance it looks pretty nice (the OpenBSD folks only need to add ssl support for it). From their webpage:

thttpd is a simple, small, portable, fast, and secure HTTP server.

Simple:
It handles only the minimum necessary to implement HTTP/1.1. Well, maybe a little more than the minimum.

Small:
See the comparison chart. It also has a very small run-time size, since it does not fork and is very careful about memory allocation.

Portable:
It compiles cleanly on most any Unix-like OS, specifically including FreeBSD, SunOS 4, Solaris 2, BSD/OS, Linux, OSF.

Fast:
In typical use it's about as fast as the best full-featured servers (Apache, NCSA, Netscape). Under extreme load it's much faster.

Secure:
It goes to great lengths to protect the web server machine against attacks and breakins from other sites.

It also has one extremely useful feature (URL-traffic-based throttling) that no other server currently has. Plus, it supports IPv6 out of the box, no patching required.

After reading its man page it seems to me they have similar philosophy to pure-ftpd: simplicity and security. (thttpd, just like pure-ftpd, doesn't need a config file, but if you decide to write one, it has a very easy syntax ... not that apache was terribly complex).

Re:So what?

[geirt]

Secure:
It goes to great lengths to protect the web server machine against attacks and breakins from other sites.

Well, you shold try to google for thttpd security . It has a security record which makes Windows 95 look pretty good.

Re:So what?

[Triumph+The+Insult+C]

no, downloading apache elsewhere and running it is not recommended. the asf/apache still has got security bugs that are patched by openbsd/apache, but they (asf) refuse to accept the patches. that's why the openbsd description is (1.3.29 ... + patches)

Re:So what?

[joshmccormack]

Here's where you can find info on thttpd running CGIs.

It appears, from their benchmarks, that performance running test C CGI's is very good for thttpd.

Seems like it might be best for simpler scripts, tough, as it appears that CGI execution is serialized, so "...one long running
script will block all other requests." Here's another explanation.

Re:Bah

Stupid troll. People have harped on this ad-nauseam.

Theo makes his living by selling packaged OpenBSD install disks (with CVS checkouts of the source, precompiled packages, etc.). The fact that he sells OpenBSD to pay his bills doesn't make it any less free then RedHat selling Linux.

Also if you want to use a CD based install, try here.

Re:No posts thus far - an omen?

Don't count on it, son.

Every time something like this comes up...he turns it into something good. His reputation grows, and the idea of quality software over Every Imaginable Feature spreads.

I doubt there will be an OpenBSD replacement for Apache. However, Theo knows one thing most people forget: you can whine and moan all you want, but when you accept the product, they win. However, if a few teams stand up and say, "This is NOT acceptable, we will NOT tollerate it", maybe something can change. XFree86 has managed to marginalize themselves, and convinced themselves that a whole lot of nothing:
http://www.xfree86.org/distro-support.html
consti tutes "community support" for their license fiasco. Maybe Apache is next.

Re:No posts thus far - an omen?

[Goo.cc]

de Raadt's stance on licensing is the proper road to take, and commendable. From my observations, Debian is the only other operating system group that is as dedicated to free software as OpenBSD is.

Other OS vendors

[DieNadel]

What are other OS vendors doing? It's clear that the new license isn't GNU compatible, and I think that Debian is also going into a direction similar to OpenBSD on this matter.
Anyone care to elaborate on this?

Re:Other OS vendors

[Brandybuck]

The old Apache license wasn't GPL compatible either. In neither case should it affect Debian unless they choose to make a political stink out of it.

Re:Other OS vendors

[forlornhope]

Debian doesnt distribute stuff based on if it is GPL compatible. It bases it on if the software is DFSG-free. After that is the question of linking and Debian always tries to follow the license of the software. That is where the stuff about the binary only firmware in the kernel came from along with the XFree86 stuf. The linux kernel is not distributable with the firmware and all the GPLed software that depends on xlib cant link against it under the latest XFree86 license.

RTFA...

[enyalios]

Oh... hmm... it appears there isn't an FA to R.

Re:No posts thus far - an omen?

[Brandybuck]

It sounds to me like they are just taking steps to ensure they don't introduce a more restrictive license to the base system.

Reading through the Apache 2.0 license, I cannot find anything that is more restrictive than before. It's actually less restrictive in some areas, in an attempt to be compatible with the GPL. The two major differences are:

1) Legalese. The original BSD-like Apache license was quite loose in its wording. This scares the crap out of most corporate lawyers ("OMG, there's no clause imdemnifying us against jaywalking!"). So the new license has been tightened up with lawyer-friendly language.

2) Patent license. The old license was a copyright license. It didn't cover patents. The new one does. You're gaining rights as a user with this.

I really don't understand what OpenBSD's problem is with this. It's a free license. It's a "copycenter" license. It's unrestricted and unencumbered. I suspect this is about politics more than any actual license terms.

Re:No posts thus far - an omen?

From the OpenBSD perspective, you are completely missing the point:

GPL: OpenBSD does not consider the GPL to be a "free" license. Becoming more "GPL compatable" may be viewed as a benefit to the GNU and Linux people, but it is VERY much against the goal of the BSD projects. Restricting ANYONE'S use of a product is not a good thing in our mind.

1) "Legalese" is a bad thing. If you gotta get lawyers involved to understand it, it is bad. BY ITSELF, that's grounds for rejection.

2) When did software patents or anything regarding patents and software become a good thing (at least as commonly used)?

The new license is much longer and more complex. This is a bad thing (in a BSD advocate's view).
The BSD license is very simple: Start with the basic rights of a copyright holder, and release ALL of them except the right to identified as the author, giving the USER FULL RIGHTS TO DO BASICLY ANYTHING WITH THE CODE other than claim/change authorship or sue for dammages.

Use it. Imbed it. Give it away. Sell it. With or without source code. WHATEVER. Now...add extra words to the license: HOW CAN IT POSSIBLY GET MORE FREE? Anything you add is "taking away" rights. Anything you do to "protect" yourself is again, taking away from the potential userbase of a product.

The point of the GPL seems to be to keep Open Source software from getting utilized by commercial software vendors. That's a noble goal -- you work for free, you want others to be able to enjoy your work for free. But, you are saying the CODE is free, not the useage of it.

The Point of the BSD license is to get the software USED in any sense of the word. BSD authors would prefer that their good software be USED in commercial products, rather than having the commercial vendors writing more flawed, or incompatable, or alternative protocols.

Do you think Cicso would have put a GPL'd SSH into their products? Probably not: they'd have done their own management application, which would only run on Windows machines or a few Unixes, or stuck with telnet. GPL advocates would probably say that was a "victory for freedom of the code", as the (hypothetical) GPL-SSH code wasn't used to make a profit by the evil Cisco. BSD advocates would prefer that the code be FREELY USED by ANYONE, including Cicso, Microsoft, Sun, HP, Intel, Motorola, IBM, and anyone else. Restricting ANYONE, no matter how "evil" they are perceived to be by someone is very much against the point of the BSD license.

Re:No posts thus far - an omen?

[perlchild]

Actually, it's quite the opposite. OpenBSD's creed of "Security first" condemns it to a sort of "media obscurity" (nothing kills a story like "It doesn't do anything fancy, and just works") yet Theo's colourful disagreements with practically everyone under the sun keeps the mindshare of OpenBSD alive and well.

Couple that with their habit of doing things differently from everyone else just once in a while to keep track of who's watching, and you have a winner.

This s about Patents and it is a strange complaint

[m_evanchik]

Reading the comments at undeadly.org, it seems the big beef is with a clause that covers patent issues of any code as well as copyright issues.

Basically, the clause says that if you have any patent claims to the code that you contribute (or is it just use? I'm not sure.) then you irrevocably grant license to others for those patents and if you sue , then you can't use Apache.

I'm unsure as to how this is a bad thing. Most "free" software licences were written before software patents were a big issue, and therefore only deal with software as a copyrightable, and not a patentable entity. Just as software code must be updated to deal with new operating enviroments, so legal licensing code must be updated to deal with a changing legal enviroment.

The new clause forces patent holders to play nice as well as copyright holders.

Would it be better to encourage lawsuits over patent issues?

Not a real problem

[jpkunst]

I don't think this will be a real problem. If Apache is no longer allowed in the OpenBSD base system it can simply be moved to ports/packages, and it will be just a pkg_add away - just as is now the case with Apache 2.0.

JP

Re:Not a real problem

[peacefinder]

It appears that the existing 1.3.29 (+ patches) apache will remain in the base OpenBSD install indefinitely. The OpenBSD folks have audited it for security, and it does what a basic web server needs to do. Anything beyond that is not really the OS vendor's problem anyway.

As always, if the end users need more features, they can install a newer version. But note the warning on the openbsd-misc list:

Subject: Re: no more apache updates
From: Henning Brauer

let me add one more thing.

it is of course possible to install an apache 1.3.31 or future ones
from source on OpenBSD.

however, doing so is one of the dumbest things you can do.

there is a number of serious security problems in apache that we have
fixed, and that have been offered them back, and they refused.

selfmade apache upgrade = security downgrade, ok?

Re:Not a real problem

[c13v3rm0nk3y]

In theory, this should be doable. In practice, it will be a mess of backporting and three-way merging.

Not to mention something you will have to do every time the Apache people release new versions with their own patches. You can only maintain your own abandoned tree for so long.

I guess you could build off of your own copy of their CVS tree, and just rebuild based on their tags. This defeats the purpose (to me) of a nice easy ./configure ...; make; make install.

Re:No posts thus far - an omen?

[xoboots]

Do you think Cicso would have put a GPL'd SSH into their products? Probably not: they'd have done their own management application, which would only run on Windows machines or a few Unixes, or stuck with telnet. GPL advocates would probably say that was a "victory for freedom of the code", as the (hypothetical) GPL-SSH code wasn't used to make a profit by the evil Cisco. BSD advocates would prefer that the code be FREELY USED by ANYONE, including Cicso, Microsoft, Sun, HP, Intel, Motorola, IBM, and anyone else. Restricting ANYONE, no matter how "evil" they are perceived to be by someone is very much against the point of the BSD license.

FOOL. The GPL does not restrict anyone from using GPL licensed code. It restricts the ability to hinder or encumber the code and that is the choice that users must make. BSD is free beer, certainly--no wonder corporations love to suck it up. GPL is free code--the code itself is free from the whims of its users. What is the difference? BSD derived code (which may be FAR more useful than the original sources) can disappear while GPL derived code can not. You're right about one thing: the GPL is *NOT* about user freedom while the BSD is. I suggest that the GPL is far more important to software as a result. I don't care whether CISCO or whomever makes money--I care that quality code remains in the community. (AND note, they can equally well make money with GPL'd code--they only have to share back their modifications. Is that really asking too much?)

Whom to complain to?

[gtrubetskoy]

You know whom to complain to.

I hope he means the US and EU governments here. Had there been no software pattents under incredibly lax oversight with the subsequent abuse thereof, the Apache Software Foundaton wouldn't be forced to write this clause into the license.

This is how APACHE got started

[Nonesuch]

The "APACHE" server project was originally a set of patches to the NCSA HTTPd, the name comes from "a-patchy web server".

Back around 1995, development of the NCSA sort-of-free web server was starting to die out, and developers who had been producing a set of patches to the NCSA project decided to "fork" their development branch.

After the fork, the majority of development effort concentrated in the new "Apache" project, and the NCSA HTTPd died out about a year later.

Re:This s about Patents and it is a strange compla

[TiggsPanther]

I think this is where the problems come in. From what I can tell (be warned: legal-speak confuses me immensely) it seems to be a necessary change because of the recent furore about software patents. It seems to be merely a restriction to prevent patent-holders from contributing their ideas to the codebase and then down the line trying to charge for use.

The problem then appears to stem from the fact that said restriction is a restriction - and is incompatible with the majority of current free/open licenses.
Or something, anyway. but basically it looks like changes which are a good idea in theory are incompatible with the letter of a lot of F/OSS licenses. And, like it or not, this means that it can cause problems unless/until the GPL/BSD/WTF licenses catch up with the changes.

I'm not so sure it's that the changes are nevessarily a "bad thing", more that the various F/OSS groups are showing that they take licensing seriously. And with the current anti-free FUD going around, showing that they will take serious steps to avoid breaking licenses can only be a positive step.
Sadly, the drawback is that to Play By The Rules sometimes they have to make unpopular decisions. But the flipside is that, if necessary, they can still fork from earlier versions.

Tiggs