Apache 1.3.33 Released

harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."

Better yet, use IIS!

It's a real server!

How

[igzat]

Will there ever be software released that doesn't have flaws or bugs, or is that just utterly impossible? Even the Mozilla foundation has vulnerability and bug problems, and they have some of the best coders out there.

Re:How

Yes, I think there is one, it is called the "Hello World" program.

Re:How

Does mkdir have a bug? I don't bloody think so...

Re:How

Did you check the return value of the printf call?

BUGGY!

Re:How

What are you going to do if printf fails?
You certainally can't print an error message.

Re:How

You can exit with a non-zero status value to indicate the error.

Re:How

[pavon]

Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others. You have to know exactly what you are doing before you start - which often means writing a throw away version of the software first to work out the kinks in the design. You have to have a simple clean design, and coding practice - as one of the Unix developers said debuging is 10x harder than writing code, so you you write code as cleverly as you can, you are, by definition, not qualified to debug that code. You have to know upfront how to write secure code, and think about with every function you write - never put this off for later. Then you have to have some one else rigorously read over every line of code to find any mistakes. Lastly you have to systematically test each part of the code individually and together. Then after years of widespread use without any major feature changes you will have weeded out nearly all of the bugs.

Nearly all software that is written leaves out some of these things, choosing to balence getting something done with quality. Some find a better balance than others :)

BTW. The mozilla programs are definately good programmers, but the codebase is certainly not the paragon of clean code. It is huge and unweildy, which is the main reason that Apple chose to build off of KHTML instead of Gecko when they made Safari. The situation has improved over time, but making an existing non-secure program secure, is much harder than doing it (mostly) correct from the start.

Re:How

[Neil+Blender]

Does mkdir have a bug? I don't bloody think so...

Ah, but mkdir has had bugs in the past. I can't remember exactly, but at one time mkdir had a race condition problem affecting ownership and permissions (akin to not using transactions in sql). I think it has had other bugs as well.

Re:How

[Goonie]

Sure, no one has found any bugs Knuth's TeX in years.

Knuth is a freak of nature who spent eight years writing a program on his own, largely for his own edification and completely free of commercial pressure. Few others have that freakish ability, fewer still get to work on their pet project by themselves for that long before offering it to the world. So there are limits to how many lessons can be drawn from this very unusual example.

Re:How

It's not impossible, certain formal methods can be used to create software that you can mathematically prove that they work according to the spec. There's two problems with this approach tho: for many real life applications this is incredibly hard to do, and how do you know the original spec isn't flawed?

Re:How

Just make sure the spec says 'Hello World always returns with an exit code of zero'. See, not a bug, it's in the spec.

Re:How

[mcrbids]

Secure code is HARD to write!

Even properly structured, carefully written stuff will contain securiity bugs! It requires attention, more attention, and yet more attention still.

It requires proper layering of the code so that the number of variables to track at any one point is as small as possible.

Spend lots of time on design. Draw flowcharts to cover key areas of your application. kivio is your friend! Consult your flowcharts before you make changes to the program. A well-layed-out flowchart can be worth more than reams of notes in the code.

Above all, structure your code so that the default behavior is secure in the event of a failure.

For example, you've done something stupid, and you're passing unescaped text to the database.

Whoops!

1) Why are you passing text directly to the database? If you communicate with the database with a proper API, you *can't* pass unescaped text to the database.

2) Are you capturing the errors from the database, so that you aren't displaying any obvious sign (to the public) of what's gone wrong?

3) Is the database connection transacted, so that you can return to a known good state?

4) Do you have some kind of error trap or handler so that you can find out exactly what the errors were and fix them in a sane way?

5) Have you tested your code with DELIBERATE bugs so that you know how it will behave in the event of a failure?

The hendling of any errors from that should *NEVER* be made clear to the outside, only that "an error has occured".

The goal is a system designed with multiple layers of protection so that a failure at any point does not result in a security breach! It should fail securely, so that problems result only in error reports, NOT SECURITY HOLES.

Easy to say, damn hard to do...

Re:How

[vawlk]

I am just reminded about how many apps that I used to run on my old 8086 that never needed patching. Same with old console games...they always seemed to just work.

Then again, apps are much more complicated nowadays.

On the other hand, the wide reach of the internet allows for easy patching which can lead to sloppy coding since updates are too easy to aquire.

Re:How

[pairo]

Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others.
Er, wrong. qmail has had a couple of security flaws, and more than a couple of bugs. For a more exhaustive list, Google is your friend.

Re:How

So Knuth is the only open source developer to write his own code and thats freakish?

Re:How

[Taladar]

If you want a bug-free system in the long run you should not hide (unexpected) errors from the user. Your program should alert the user in the best way it can (not some hidden logfile) so the bug gets reported and fixed.

Re:How

BTW. The mozilla programs are definately good programmers, but the codebase is certainly not the paragon of clean code. It is huge and unweildy, which is the main reason that Apple chose to build off of KHTML instead of Gecko when they made Safari. The situation has improved over time, but making an existing non-secure program secure, is much harder than doing it (mostly) correct from the start.

What codebase are you talking about? The netscape derived one? Offcource every slashdotter knows that Firefox is a completely new codebase written from scratch. It's definitly not "huge and unweildy".

Re:How

[Chexum]

...more than a couple bugs...

Many of the "bugs" listed above are arguable, and frequently disputed by qmail users and opponents. That is, many of them could not be a reason to single-handedly strike down qmail itself.

As an example.. From the above document:

All the contents of this document refer to qmail-1.03.

4.3. Bandwidth hogging (violates RFC-2821 SHOULD clause)

So.. qmail 1.03 was released in June 1998, RFC 2128 was released in April 2001. I'm inclined to say that calling this a "violation" is not that fair. Even more so if you consider that it might have been included in the RFC *in response* of qmail's behaviour by *ahem* some lobbyists. In contrast, qmail's behaviour was explicitly chosen by its author, and he directs anyone who claims this is "hogging", that they should "measure, not speculate" of the implications of the behaviour. What did he get?

And, allow me to say, in my opinion, a "SHOULD" clause is not violated if the "full implications" are "understood and carefully weighed", which has apparently happened.

So, what meant is, the picture is not so clear, you should not believe anything you hear or say on the internet... Not even about qmail.

Re:How

[gbjbaanb]

nothing to do with complexity really, your old 8086 was never connected to the internet as we know it, and security was more a case of choosing a password that wasn't 'password'.

Today, I had a new linux server installed for me, and before I even told my customer his mail address, he had spam sent to it, and the server was subject to 2 attacks that BFD detected.

Your old apps probably had all those security flaws in them, just nobody was interested in looking for them.

Re:How

[pairo]

Yes, some of the bugs in there may not be bugs at all, but some are valid. I didn't say qmail should be 'struck down', even though I see no reason to use it what with modern MTAs around (MTA flame war! :-P), I was just debating the parent's claim that qmail is relatively bug free.

Re:How

[lauterm]

as one of the Unix developers said debuging is 10x harder than writing code, so you you write code as cleverly as you can, you are, by definition, not qualified to debug that code

I've heard that saying attributed to Kernighan usually.

Re:How

[Pxtl]

First and foremost: don't use the C standard library. glib or C++ standard lib. C standard library is security suicide.

Re:How

Ah, but that's a buggy spec -- exiting zero on error doesn't make sense. Bugs in the specs are the hardest to fix, you know.

Re:How

[k98sven]

Nope. All software has bugs.

A relative of mine worked with a guy who wrote a program to do a single thing: Terminate itself.
(They were doing OS programming and this was actually a useful thing to have in that context.)

That's it. The simplest possible program you could write. It was a single assembly instruction. So the guy started bragging about how he'd written the only bug-free program, ever.

Well.. the gods did not look kindly upon that hubris. It turned out he'd forgotten something. He'd forgotten to zero-out the register containing the programs exit code. So the exit code would be just whatever random value happened to be in the register. And a non-zero error code indicates a termination on error. There was a bug in the simplest program ever written.

So..no, there is no flawless software which does anything non-trivial. It's hard enough to get the trivial stuff right.

Re:How

[LiENUS]

Here ya go fixed spec and code

#include <stdio.h>

int main(int argc, char *argv[]) {
int retval;
retval = printf("Hello, World\n");
if (retval > 0) {
return 0;
} else {
return -1;
}
}

Re:How

[ratboy666]

"*NEVER* be made clear to the outside"? What *is* the "outside" when providing toolkit software?

"Why are you passing text directly to the database". Um... because the API to a SQL database is SQL which is... text?

You have eliminated the use of PHP (since if the interpreter fails, where is the error reported?) *and* SQL (because the API is text based) in your web page developement. Yes, I agree that would tend to increase security, but at what cost? Are you trying to eliminate your own job?

Ratboy.

Re:How

[DrSkwid]

Debugging is twice as hard as writing the code in the first place. Therefore,if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.

-- Brian W. Kernighan

Re:How

[Kinlan]

Hard as in NP Hard?

Re:How

[NardofDoom]

Here's one:
function hello(){ print "Hello, World!"; }

Though most frosh comp sci majors still seem to screw it up.

Re:How

[jack_csk]

//My version is shorter than yours
#include <stdio.h>

int main(int argc, char * argv[]) {
return (printf("hello World!\n")<0?0:-1);
}

Re:How

Same for Qmail, and others ...

Qmail has many bugs, including violations of the SMTP standard and Host Requirements. However, the author of Qmail supresses all bug reports by privately threatening the poster.

I posted a bug report showing how Qmail did not properly implement a SMTP connection backoff when receiving a 4XX response, and was personally threaten by Dan Bernstein for making "dangerous statements".

If the OpenSource project you are working on considers bug reports "dangerous", and threatens bug posters, you should run away, FAST!

Re:How

[mcrbids]

"Why are you passing text directly to the database". Um... because the API to a SQL database is SQL which is... text?

Ahem...

Here's an example of BAD YOU-ARE-SO-OWNED CODE ...

$sql="SELECT * FROM userdb WHERE login='".$_REQUEST['login']."' AND password='".$_REQUEST['password'].'";
$res=mysql_ query($conn, $sql);

Here's an example of MUCH BETTER CODE...

$DB=New Database();
$DB->SetQuery("SELECT * FROM userdb WHERE login='@login' AND password='@password'");
$DB->Set('login', $_REQUEST['login']);
$DB->Set('password', $_REQUEST['password']);
if (!$res=$DB->Query())
return Error("Sorry. There was an error while processing your request");

Notice that the values being passed thru to the database are not being sent directly (there's that word, maybe you missed it?) to the database. This way, you can't (easily) make the mistake of not escaping the value before it's passed to the database - that's handled by object $DB.

Ratboy.

Re:How

[baest]

Sorry, but that is wrong. You return 0 when printf return less than 0. I would rather do this which is actually faster... #include int main(int argc, char * argv[]) { return (printf("hello World!\n")); }

Re:How

[Jucius+Maximus]

"Even properly structured, carefully written stuff will contain securiity bugs!"

You'd know, I guess. ;)

Re:How

NP doesn't mean hard, it means slow... (can only achieve polynomial time on a nondeterministic computer)

Good thing I use Apache 2

[brandonp]

Been using Apache 2 on Fedora Core for the past few months, so shouldn't have any worries.

Brandon Petersen
Get Firefox!

Re:Good thing I use Apache 2

[eobanb]

Personally, I'm waiting for Apache 1.3.37. 0h y34h!!!

Re:Good thing I use Apache 2

[slarshdot]

This release has been code named LEE
followed by:
LEEA
LEES
LEEB
and finally
LEET!

Re:Good thing I use Apache 2

[geminidomino]

For some reason, I heard Quagmire in my head when I read that...

Giggidy giggidy!

One small change

[jZnat]

So, one small change was made to prevent dumbasses from fucking over the buffer if they use characters not intended in the first place? Not worth it without updating other bugs, sorry to say. Work on the more important yet less known bugs instead!

Re:One small change

[Electroly]

Without that "one small change", someone could own your computer by just sending a specially crafted HTTP response when you hit a website. I personally think anything that can allow "bad people" to get access to your computer without too much difficulty is something that should get fixed. Suit yourself.

Re:One small change

[corrie]

You must be trolling.

This kind of thinking leads to worms and trojans being so prevalent.

It is besides the point that the "characters not intended in the first place". The point is that it is possible for them to get there, and so they should be dealt with.

Btw, I would like the URL of your unpatched Apache site, please. Thanks so much. Don't be afraid, because I'm not supposed to send any unintended characters there, so I won't, right?

Re:One small change

upon a midnight dreary, while i pron surfed, weak and weary, over many a strange and spurious site of ' hot xxx galore'. While i clicked my fav'rite bookmark, suddenly there came a warning, and my heart was filled with mourning, mourning for my dear amour, " 'Tis not possible!", i muttered, " give me back my free hardcore!"..... quoth the server, 404.

Re:One small change

[jZnat]

That's why you don't use the server box for other things at the same time. ;)

Re:What ever

[mirko]

Well, Apache 2 doesn't support all the mods at this moment, for example, it is still impossible to use some auth_tk (not sure about the name, to autologin in our Intranet.

A little overblown

[Stevyn]

After looking at the changelog, is this a topic for the main page? I mean people complain when a minor revision of the Linux kernel or KDE comes out.

Not to say that justifies it, but this is just one bugfix. I hope people maintaining servers running Apache don't rely on Slashdot to inform them of this bug. This seems more an issue for a mailing list.

Re:A little overblown

[Anonymous+Crowhead]

After looking at the changelog [apache.org], is this a topic for the main page?

No kidding. The Apache section is like Ralph Nader. It's always there, it gets about 1% as many comments as any other section, a boring story about it still hits the headlines now and again, but you try to get rid of it and it gets all crazy.

Re:A little overblown

Don't blame me, I voted IIS.

Re:A little overblown

[Stevyn]

Yeah was this one of the original sections or something? Couldn't this just be thrown into IT? After all, it's IT people who would be interested in subject matter like this.

I'm not saying Apache isn't important at all, but important as Science, Developers, AskSlashdot, Apple? I don't think so.

Re:A little overblown

[Neil+Blender]

No kidding. The Apache section is like Ralph Nader. It's always there, it gets about 1% as many comments as any other section, a boring story about it still hits the headlines now and again, but you try to get rid of it and it gets all crazy.

Heh, that reminds me: About 3 or 4 years ago, I was up late fixing some server issue. While I was waiting around I checked Slashdot and saw a story in the Apache section about some Apache conference or party or something that was taking place in Belgium or Norway, I can't remember exactly. It had been up for hours, maybe even days with no comments. So, thinking it would be like taking candy from a baby, I first posted. About a week later, I checked the same story and the only post was my first post. I think that story got archived with that single post.

Re:A little overblown

You should find it again :)
Make it your sig.

(I once first, second and third posted a Slashdot Poll. They got -1 modded very quickly, but it made me so happy on the day)

God we're geeks :)

Re:A little overblown

At least as important as Apple. The ASF runs more large open source projects than Apple has products.

Re:A little overblown

[Trepidity]

God we're geeks :)

People told me that I shouldn't take the comments on Slashdot seriously because they are inaccurate, but I believe I have evidence to the contrary.

Re:A little overblown

[Gheesh]

Apache 1.3 is a well established product, with over 65% of the market share. It is important that security flaws are quickly found, fixed and patched everywhere, to avoid possible exploits (esp. worms) from spreading and choking the net. I'm sure you can think of good examples of why this is good practice ;-)

Re:A little overblown

[geminidomino]

I have a feeling it's MUCH more important than "Apple" to those who run it on non-Apple architectures.

Re:A little overblown

[Tony-A]

With all the stories on Microsoft exploits, the Slashdot editors are trying to give equal time.

"mod_include: Fix potential buffer overflow with escaped characters in SSI tag string."
-- At least it's a different one.

"Multiple security issues ... that could allow an attacker to compromise a computer running Windows and gain complete control over it."
-- I thought they fixed that already.

Re:A little overblown

Imagine the bragging rights you would have had if you had written: "Only post!" :D

Re:A little overblown

[Ctrl-Z]

If the IT colour scheme ever gets fixed, then I would be all for putting Apache stories in IT. Otherwise, I have to say I find the Apache colour scheme to be much less hideous than IT (even though the purple is a bit putrid).

-1 Troll

I've been expecting this one, and I know it when I see it.

Re:-1 Troll

His post is already -1, moron.

Re:-1 Troll

Not when I posted it (race condition )

Re:-1 Troll

He posts at -1 by default. You are an idiot.

Re:What ever

[l3v1]

I'd mod that a funny troll if I could. Apache2 is unfortunately still more a security risk than a better Apache. It's ok for development and testing, but you'd better not use it on reallife servers exposed to others than white test rats.

I can't figure this release note out

I've read it 3 times.

I use debian stable. does this effect me?

seems to only effect people who use the mod include thing, which I have not installed, or I think I haven't. I don't want to loose the security battle over a bug like this, but I don't want to have to uninstall apache either.

Re:I can't figure this release note out

If you are running Debian Stable, then you are relying on the most solid version of Linux thus far. The Debian team does not spend time working on adding new features to the platform, so all efforts are instead diverted to bug fixing. In Stable, the likelihood of an 0wn4ge is slim to none, in other words. At least much less than in the other Debian versions.

That said, that only pertains to the operating system and accompanying binaries. It does not cover Apache. If there is a bug in Apache that allows the takeover of a system, a hacker could theoretically exploit that hole and cause damage to your system.

However! The damage that is possible via a hack such as this is limited to the permission level at which Apache is running. If it is running as root, well, your whole system is exposed. OTOH, if you have Apache locked down with no permissions whatsoever, the likely damage to your system is minimized.

Re:I can't figure this release note out

[mrchaotica]

does this effect me?

I don't see how it could, since "effect" is a noun.

I don't want to loose the security battle

Well, better keep that battle tied up then!

[note to mods: With a story this useless, what else could I do but correct usage (I'll leave grammar and capitalization as an exercise for the reader)? I mean come on, the front page for a bugfix?!]

Re:I can't figure this release note out

"Effect" is also a verb; it means "to bring into existence." Of course, we're still left wondering how an Apache bug could cause this fellow to exist.

Re:I can't figure this release note out

[pairo]

In Stable, the likelihood of an 0wn4ge is slim to none, in other words.
How about this, or this then?
No distribution is inherently more secure than another, a Debian Woody machine will be as easily compromised as any other distribution, if the admin is incompetent. (And, no, I'm not saying all machines are compromised because of incompetent admins)

Re:I can't figure this release note out

[value_added]

"I don't see how it could, since "effect" is a noun."

Good try (and moderately funny) but no cigar. The word "effect" can be used as a noun *or* a transitive verb in which case the meaning can be read as "to bring about." That, too, would be moderately funny, for an entirely different reason.

The word "affect," on the other hand, is most commonly used as an intransitive verb, though its usage as a noun still exists (e.g. "affectation").

[Web-link-as-pseudo-authoritative-citation omitted.]

Re:I can't figure this release note out

I don't see how it could, since "effect" is a noun.

Security effects ALL of us. Don't underestimate it, if my box gets hacked in to, it could very well be used to compromise other machines. In fact, that's often how they attack machines. from hacked machines so you can't tell were their really logging in from. Weather or not you personally worry about this, isn't the issue. Security should not be ignored. People who don't pay attention to securing there machines are the biggest problem right now on the internet. Worms and viruses spread via unsecured boxes.

Re:I can't figure this release note out

[thomasweber]

Well, http://mplayerhq.hu/pipermail/mplayer-dev-eng/2003 -December/022821.html is just one of the usual rants of mplayer against Debian. If you go further in this thread, you will find http://mhttp//mplayerhq.hu/pipermail/mplayer-dev-e ng/2003-December/022879.htmlplayerhq.hu/pipermail/ mplayer-dev-eng/2003-December/022877.html> and http://mplayerhq.hu/pipermail/mplayer-dev-eng/2003 -December/022879.html, which show that the admin didn't have a clue how his server was compromised (it must be the kernel and/or Debian, because he is a perfect admin, or what?).

Re:I can't figure this release note out

from hacked machines so you can't tell were their really logging in from.

No, people who can't fucking spell or construct sentences are the biggest problem right now on the Internet.

Re:I can't figure this release note out

[Scarblac]

Security effects ALL of us.

ITYM the other way around - it's LACK of secure (safe) sex that effects all of us.

Re:I can't figure this release note out

I don't see how it could, since "effect" is a noun.

Only on slashdot do I see people getting criticized for using verbs as verbs. But verbing nouns is OK.

Re:I can't figure this release note out

[pairo]

I should know, this is my post. In hindsight, maybe I should've actually explained what I meant by those two examples.

The first, the one about the Debian machines being compromised was to show nothing is unbreakable (even though the Debian people made some mistakes in configuring those machines, their far from being responsible for that).
The second, the MPlayer one was to show that a clueless admin (Okay, I know I shouldn't call the MPlayer people names based on a single experience, but that's the impression I got from that thread.) matters more than the distribution he or she uses.

Re:I can't figure this release note out

[ajs318]

When I was taking my A-levels, I helped out in my school's remedial studies unit. On the walls in there were a set of colourful cartoon posters drawing attention to commonly-mixed-up words.

One was of a stereotypical 50kg weakling in a gym, about to lift a set of weights and saying "Will this affect me?" And the answer from his muscle-bound colleague was "Look at the effect it had on me!"

Another one was a kid with an untied shoe, and a teacher calling after her, "Your lace is loose! You might lose a shoe!" At the time, I never thought that was particularly relevant; since around my particular neck of the woods, "lose" {as in "I don't care if the Rams don't win, just as long as Forest lose"} is often pronounced so as to rhyme with "nose".

Re:I can't figure this release note out

Surely that should be "Incorrect, people who can't fucking spell or construct sentances are the biggest problem on the Internet at the moment."

?

Re:I can't figure this release note out

[A+beautiful+mind]

Yes, Árpi is actually quite incompetent at times. Btw as far as i remeber the incident it was a remote kernel exploit, nothing to do with Debian...it could have been any other linux box running the same version of kernel...

Re:I can't figure this release note out

[pairo]

Yes, but what they claimed (And, amazingly enough, they were right) was that the attacker needed to gain local access first, by exploiting a service. Nevertheless, claiming that Debian was to blame was a bit off.

Re:I can't figure this release note out

[A+beautiful+mind]

That's weird...why on earth a remote expoit would require local access? Thats why it is remote, no local access is required.

Re:I can't figure this release note out

[pairo]

The kernel exploit they (And _YOU_) are referring to is a _LOCAL_ exploit, it's the one that affected Debian.

And, by re-reading your post (Yeah, I know. But I'm trying to get drunk here, ya know!), I see you were wrong from the start. See above.

Re:I can't figure this release note out

Actually effect is a verb meaning something like "to cause something to come into being" as well. You can, for instance, effect a change.

Re:Freshmeat Sidebar

I would have modded parent up for the second and third paragraph (valid points). It's too bad that the first paragraph's abusive language digs a hole too deep for the rest of the message to crawl out of.

Re:What ever

[synthparadox]

Don't forget that mod_gzip is not fully supported in Apache 2.X.

Also, has anyone else noticed that slashdot itself is still 1.3.29?

Re:What ever

[ScytheBlade1]

After searching a bit, I can't find the netcraft page that lists which apache version (1 or 2) the % of sites are using...but for some reason I remember apache2 being actually *used*.

Hence why it's default now on a grand many distros...and many many others...

(Chances of you being right about it being more of a security risk? Depends on your view, namely the time it's been out vs. the time apache1 has been out. But hey, why not at least post proof with your post compared to just stating such things blindly?)

I tried to migrate to Apache.

[shaneh0]

During last years jihad on IIS & IE I decided it would be a good idea to migrate the company's web servers to Apache. I decided to start simple and submit a plan to migrate just the department intranet server.

This is the actual response from management. The brain-dead VP that made this truly-enlightened decision first made a name for himself as a VP at a FAUCET COMPANY.

Listen to the faucet kings great idea:

"Shane, Thanks for your proposal. Unfortunately, I cannot approve the change. In fact, I've decided that we need to streamline these things in the future and make sure everyone is on the same page.

From now on, we will only install software on the servers that is at version 2.0 and above. There will be no exceptions to this. It's about security and reliability. Everyone knows you dont buy a car the first model year, why should software be any different. I've never heard of apachee, but if these guys are as good as you say they are enough people will bite to keep them going, and when they come out with the next major realease I think you'll see then that we're better off for waiting for them to really get it right.

thanks for beging on board with this, tom." [my name's shane]

Two years ago this guy won the "visionary of the year" award at the company conference.

Re:I tried to migrate to Apache.

[mrchaotica]

Luckily, there is an Apache 2.0!

Re:I tried to migrate to Apache.

I suggest you set his workstation up with the following:

Windows 95. [4.x is twice as good as 2.0]
IE 4 [Same Reason]
Word 2.0 [Streamlined - only a few floppies]

Or better yet:

DOS 2.0 -- that must be a real winner!!

Well, you have to give him a little credit : At least he knew that version numbers are not like golf scores!

Re:I tried to migrate to Apache.

[quillsta]

I was called by the wrong name 8 months into my current job staying in a company flat with the CFO in london (now 2nd Sr. Admin). I feel the v2.0 scenario and it hurts my heart. blessed be (God|Allah|Jeebus|Jehova|Budda|Mr. Dobbs) and blessed be apache 1.3.x.

jez don't speak as though 2.0 is not primetime, because that is crazy speak -- the configuration files may have new directives and options, but yours is to weigh costs of access/benefit/detriment and deploy accordingly.

Take time to read and don't be swayed by a jihad. If you are really unsure of what one is google it and you will see it is not what you think

Re:I tried to migrate to Apache.

[jesterzog]

Out of interest, how did you respond?

Re:I tried to migrate to Apache.

[Vellmont]

The idea is sound enough, we all know of course that no one adheres to any standards with regard to software revisions. Some software goes for years at version 0.x, and a 1.0 release is a really exceptional product. Others (like Microsoft) take at least up to version 3 for the thing to be actually useable.

Anyway, you should have (or perhaps you did) play his game and announce that Apache 2.0 has been out for more than 2 years. As far as the ridiculous >= 2.0 policy, I'd go the route that software companies know this trick and will inflate version numbers. That way the VP doesn't look like a total moron and can save some face when the policy goes the way of the dodo

Re:I tried to migrate to Apache.

[pchan-]

i would love to have had the chance to respond to this.

you could just download apache, edit the code and bump up the version number. but really, the right solution would have been to inform him that, in fact, there exists an "apachee 3.0". unfortunately, "apachee 3.0" is no longer free, and requires a 500$ yearly site license for under 10 installs (and reasonable fees for more). then you can bump up the version on apache 1.3 and install it on the company's computers. your friend (er, the "apachee foundation") can cash the yearly check for you.

Re:I tried to migrate to Apache.

[tigress]

No, you don't buy a car the first model year (1.0). That's why you wait for Car 1.1 or higher. Waiting until the new model (2.0) is out is just plain stupid. :)

Re:I tried to migrate to Apache.

[snero3]

Somebody probably has already mentioned this to you but you do know that apache does have a version 2? They are currently maintaining both the version v1 and v2 trees. Just thought I would let you know.

Re:I tried to migrate to Apache.

[shaneh0]

Although I can't believe you're interested, I'll tell you how I handled it.

I work for what you could call a 'large company.' You could also call it by a more formal term, 'the largest company in the United States'.

This has upsides and downsides. A downside, for example, is the Department VP. An upside is that there are 2 other department VPs and they gave me the go ahead on the condition that I never tell the other. They probably have a point that a friggen Vice President would never know what Web Server was installed unless somone tells them.

Although I didn't know at the time of the 2.x versions, looking back I wish I did because it would have saved some headache.

Re:I tried to migrate to Apache.

[NoMercy]

*rolls around on the floor laugning*

Ohh, it's quite amazing how many Dilbert Style managers are out there, take him along to a dogbert re-education class :)

Re:I tried to migrate to Apache.

[geminidomino]

'the largest company in the United States'.

You poor bastard... you work for the Federal Government... Come inside, we'll give you a nice bowl of soup and let you talk to a chaplain of whatever belief system you follow. Yes, we do have an athiest chaplain. He's kind of an odd one, but a good sort.

You must be so cold. Come, come inside.

Re:I tried to migrate to Apache.

[OwlWhacker]

There are plenty of people with high positions in business that are really holding their company back.

All it takes, in most cases, is a bit of research. With the Internet, research is no hassle whatsoever. This guy obviously has no clue of what Apache is, and isn't even going to research it due to a version number.

You can't apply a one-size-fits-all approach to everything. Each seperate case should be evaluated in context. Obviously.

I would suggest going higher up, and put together something concise, positive, and polite, and ask for an evaluation of the issue. Provide proof that Apache is big, reliable, used by big companies, and something that should not be brushed aside in ignorance.

You may even find that this guy is demoted. Probably not though, seeing that somebody higher up actually gave him that position in the first place.

Re:I tried to migrate to Apache.

Write back to your VP and let him know the Facts. Apache has been the most popular web server on the Internet since April of 1996. The October 2004 Netcraft Web Server Survey found that more than 67% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.

Re:I tried to migrate to Apache.

Boy, this guy would piss himself if he got to use emacs (now at version 21)

Re:I tried to migrate to Apache.

I've never heard of apachee,

Man, this VP is typical, dumber than nails -you should go to an anonymous mailer site to send mail and inform him, and post a hyperlink to the http://netcraft.com site so he can see more people run apache than all others combined.

Re:I tried to migrate to Apache.

[poot_rootbeer]

...So why didn't you migrate from IIS to Apache 2.x? ;)

Re:I tried to migrate to Apache.

[cant_get_a_good_nick]

Hmm, Pinto 1.0 wuz da bomb...

Re:I tried to migrate to Apache.

Do you post this every Apache article?

Re:I tried to migrate to Apache.

[nicolas.e]

They migrated from Apache to IIS (at least for their website) ?

Re:What ever

[myg]

Apache 2 has quite a few good things going for it over Apache 1. First off, it handles multi-threading much better meaning that very heavy workloads require less CPU time[*]

Second, Apache 2 supports things like DAV which mean that to publish information on the web users need less access than with Apache 1 (such as shell accounts or worse FTP, since most ISP's don't think users should use SSH for some odd reason).

Lastly, Apache 2 can run Subversion. So not only can you use DAV to update information without shell access of any kind but you can version that information too.

[*] Why is multi-threading faster than the pre-fork model of Apache 1? Because there is less work to do when context-switching threads. A thread shares the same virtual address space with other threads in the process. Changing virtual address spaces is slow because it requires a TLB flush (as well as one or more extra registers to save). The TLB flush increases memory accesses.

Re:What ever

[FireChipmunk]

FUD.

mod_defalte does GZIP encoding, and comes with the Apache 2.0 core:
http://httpd.apache.org/docs-2.0/mod/mod_deflate.h tml

Re:What ever

[PhrostyMcByte]

SF.NET just sent out an email a few days ago:

The SourceForge.net team is pleased to announce the long-awaited
upgrade to our project web service. SourceForge.net staff are
currently in the process of completing hardware procurement and
system build-out. The official date for this upgrade has not yet
been set; once our hardware build-out has been completed, the
date will be announced on the SourceForge.net Site Status page.
https://sourceforge.net/docs/A04/

This upgrade consists of a significant hardware upgrade and
Operating System upgrade. Due to the large upgrades involved here,
it may be necessary to upgrade your scripts.

...

New configuration:

Fedora Linux: Fedora Core 2
Linux kernel 2.6.x
GNU libc 2.3.3
Apache 2.0.51
Perl 5.8.3
PHP 4.3.8
Python 2.3.3
Tcl 8.4.5

Apache 2.x is good enough for a large site such as sf.net, it is good enough for others.

Re:What ever

[nv5]

I'm assuming you're not trolling, so would you mind elaborating a bit?

Re:What ever

[FireChipmunk]

No one uses Apache 2 in production. I guess all those sites don't have a clue about security.

Riddle me this then?

[Bill_Royle]

Why is your server running 2.0, then?

Netcraft's "What's That Site Running?" report on www.force-elite.com

I'm assuming by your nick here that you're Chip, of course.

Re:Riddle me this then?

I think you missed the point.

Every site I linked to was running APACHE 2.0.

Re:Riddle me this then?

Everyone knows to never run a .0 version... I'm waiting for 2.1! Version 2 just isn't good enough for me...

Re:What ever

[Quattro+Vezina]

You forgot one.

Re:What ever

[Quattro+Vezina]

I can't but help noticing you made a typo. Your entire message should be spelled ``FUD''.

Apache is awful.

[Gabe+the+Programmer]

I'm sorry, but I run a huge online community (http://www.mma.tv/TUF), and Apache has been nothing but trouble for us. We're having hours of downtime A DAY! and we've done everything: bought a brand new server, increased the number of requests per child, disabled all uneeded services, performance tuned our app, the UnderGroud Forum, but to no avail. Under IIS, we had no such problems (the app is written in Cold Fusion and uses JRun).

Re:Apache is awful.

[killjoe]

Wow cold fusion and jrun? People still use those? Are they running as modules or a CGI?

Maybe you should go back to IIS. You should not run a web server you can't get working. Leave apache for other people.

Re:Apache is awful.

[pairo]

I'm only going to comment on two bits of your post, since I've never used ColdFusion/JRun with Apache (Or at all, for that matter) and cannot address the main issue.

disabled all uneeded services, performance tuned our app

You only did that _after_ you noticed your application is having problems?

Re:Apache is awful.

Cold Fusion? Well there's your fucking problem, not apache.

Re:Apache is awful.

[LnxAddct]

Wow... did you ever here the cliche of a face so ugly it breaks mirrors... that site is so horrendous it breaks apache. Anyway...your huge community doesn't seem to be all that huge... google uses a modified version of apache, slashdot uses apache, sourceforge.net uses apache, and Amazon.com runs apache... as well as many others. If your having hours of downtime a day you must not be all there in your head. Seriously, go download Fedora Core 2, install it, everything will be set up for you... port your code to php or jsp or whatever if your finding it unstable. Coldfusion is hell and way overrated. If your going to use opensource, go completely open source because thats what it was designed with in mind. But judging from your website, you've got a lot more work to do then just getting a server running properly. Ugh... go buy a book or two, one for servers and one for web design. I'm not trying to troll... I just can't believe what this guy said, never in all my years have I had any trouble with Apache, whereas I also admin an IIS server and its *hell*...but it pays the bills:)
Regards,
Steve

Re:Apache is awful.

[WinterpegCanuck]

Ever consider contacting a consultant (or high school kid) that knows how to set it up properly. One of the largest XP Themes sites uses a totally non MS server and couldn't really handle the traffic on the same hardware without a non-ms solution.

Unfortunatly, despite your best attempts to slander the apache software, it looks more like pebkac

Re:Apache is awful.

[Gabe+the+Programmer]

I'm not saying it's impossible to run enterprise stuff under Apache, just that it's *much* harder than with IIS. It's like MySQL vs. PostgreSQL. Under IIS, everything just worked, but now under Apache, it doesn't. Yeah, Apache is more secure and open source, but it isn't as good for enterprise as IIS is.

Re:Apache is awful.

[LardBrattish]

Yeah, Apache is more secure

No Shit Sherlock

and open source,

That's immaterial

but it isn't as good for enterprise as IIS is.

Bull. I'd finger either poor coding by your developers or poor administration of Apache/Coldfusion. Or maybe you were trying to run Apache on Windows which is not a good idea.

Apache is more difficult but it's not that much more difficult. There are even web administration tools that make life easier.

My first Apache config script worked ok but I had to do a bit of digging around on the net before I got all of the info I needed. M$ had a bad habit of making stuff appear easy by making lots of default choices for you that you might not make if you were given the informed choice.

Re:Apache is awful.

[Gabe+the+Programmer]

There running as Apache modules obviously. But even then we're still being crushed under the weight of our load.

Re:Apache is awful.

[killjoe]

Apache1 or apache2? Windows or Unix?

Apache under windows is JustBadIdea if you ask me.

Re:Apache is awful.

[llefler]

Or maybe you were trying to run Apache on Windows which is not a good idea.

Running Apache on Windows isn't necessarily evil either. It's good for Windows shops or when using another OS would make the learning curve incredibly steep.

I use Apache/Win for my CGI SOAP services. While they are internal servers, they still get a moderate load. And I've never had a minute of trouble with Apache.

I'm also using Apache/XP/Firebird on my laptop to learn PHP. Which will eventually be moved to my Apache/Debian/Firebird server.

Re:Apache is awful.

What's even funnier is that those guys actually have the nerve to charge people $30/year to use that monstrosity of a website.

Re:Apache is awful.

I checked out the site today, and the Otherground Forum is really really cool. The Underground was okay, but I've heard that "MMA" is nothing more than human cockfighting. But apparently the Otherground is the main part anyway, and it had some funny stuff if you look past the political hysteria.

I just signed up for an account, and if I still like it next month then I wouldn't mind paying the $29.95 for 12 months of extra features, html, and the nakedpics forum.

Anyway, back to the topic, don't let these other anonymous cowards get you down. Your site has over A HUNDRED THOUSAND active threads?? How many users are registered there? Besides, the site never went down while I was checking it out, and overall it seemed adequately fast and only slightly bulbous.

Good luck getting it running 100%, maybe I'll see you on the forums.

Re:Apache is awful.

If the site is freezing often, the flux capacitor could be acting up due to the lack of available time regulating between the KKM and DP.

Re:Apache is awful.

mma.tv = de-stroyed

Re:Apache is awful.

None of you keyboard warriors would dare say this to Gabe's, Kirik's, David Roy's, or Nick May's face.

Re:Apache is awful.

As a WWE and Toughman fan, I am familiar with your site. MMA.tv is the worlds biggest Fight forum, it gets comparable traffic to Google and MSN. The server simply cant keep up. Try finding out what sort of servers google use and upgrade your server to the same as theirs.

Re:Apache is awful.

Lots of KKMs here. BTW, Camel Killer punches like a girl! *puts on tinfoil hat*

Re:Apache is awful.

At least he can beat HEMAN ... but then HEMAN would pwn Camel Killer at Detective Barbie.

Re:Apache is awful.

Incorrect. You only have to pay the $30/yr fee if you want enhanced options, otherwise it is free.

Re:Apache is awful.

[LardBrattish]

Why Firebird? I've used it enough to still call it "Interbastard". I would have thought PostGreSQL would have been a better choice but give me a month until I've had it running a while on my home server then I'll tell you what name I've come up with for it ;)

Re:Apache is awful.

[llefler]

I wouldn't mind Postgresql, but it has a very annoying feature that I can't tolerate. Let me preface this by saying I work with a lot of legacy MS-SQL TransactSQL. MS-SQL can be configured (default) to NOT be case sensitive in any way, shape, or form. If I create a table called MyTable, I can address it any way I like and I will get results. Same goes for fields. The only effect is that if I do a straight dump of a result set, my fields will be called DailySales, not dailysales or DAILYSALES. So I don't have to reformat them for the users. Now, a lot of this legacy SQL and table structures took that into account.

If I try to use that with Postgresql, I have to put "every statement" inside "double quotes" so it doesn't "lowercase every freaking field and table". Case sensitivity is fine, but evaluate statements as I enter them. If they insist on lowercasing everything I don't put in quotes, lowercase the SQL server side of the comparison too.

MySQL isn't an option for me. What good is a database server that doesn't return errors on validation failures. But I can live with Firebird now that they have the super server. It, or FlameRobin/IBAccess, lowercase all of my table and field names, but I can live with that.

And yeah, in the past I wasn't all that impressed with Interbase either. I've always used ClientDatasets to avoid it until recently. My complaint has always been a lack of decent tools and it's bizarre desire to expect the client to know the location of it's GDB files.

Mod_ssl?

[mcrbids]

It doesn't appear that mod_ssl 1.3.33-NNN is available yet. I can't update until this is done, or all my ssl sites break.

ugh...

and I'd just started rolling out 1.3.32!

Re:Mod_ssl?

[Phroggy]

Because this version is only a number bump and a fix to mod_include, I'd be doubtful as to whether this would affect mod_ssl at all.

I'm sure you're right, but that number bump would be enough to make mod_ssl-2.8.21-1.3.32 not install without fuss.

Re:Mod_ssl?

the 2.8.21-1.3.32 release of mod_ssl does work with apache 1.3.33 since the changes between 1.3.32 and 1.3.33 are so small

we have a few test servers running it now, with(so far) no errors on the benchmarks

Re:Mod_ssl?

[jimjag]

mod_ssl includes the 'force' option that bypasses the version check. Works like a dream and the version for 1.3.32 applies like butter to 1.3.33

Gettin Closer

We're almost at version 1.3.37.....

apache and webserver

[chrisranjana.com]

Apache the most robust webserver ever. !

As opposed to . . .

[WinterpegCanuck]

Following the release of Apache 1.3.32

what, it would follow 1.3.34?

Re:As opposed to . . .

[Gopal.V]

Often 1.3.34 follows 1.3.32 for GNU style namings ...

Think how 2.4 follows 2.2 kernels ?.

Re:As opposed to . . .

[Nomikos]

Can't wait to be able to run 1.3.37, then I would be truly.. ehr..

Re:As opposed to . . .

[cant_get_a_good_nick]

apache doesn't follow that, though it skips releases every once in a while when it finds the release has a bug. They put out brand new code, and don't reuse the version number.

why cant they just release patches?

[xot]

Do they have to keep releasing a new version everytime a bug or security flaw comes up?
Why not just release patches for the bugs and just update the patch tree??

Re:why cant they just release patches?

[pairo]

Because it makes it easy to keep track of wether you're vulnerable or not. Because it makes it obvious something important changed. Because it allows them to release a couple of other patches as well.

Re:why cant they just release patches?

[geminidomino]

I had that problem a few years back. Well, I didn't have the problem, but my boss at the time sure thought I did. He wasn't a PHB, just a BSDite like me who'd never used Redhat until he bought a stupid system based on it.

T'was around the time of the great OpenSSL vulnerabilities... As a lowly admin, my job was to update all the broken things to keep our servers up. So I did, using RH rpms. Of course, $BOSS didn't realize that RH (at least at the time. Never EVER touched it again after leaving that job) backported fixes and increased the patch level instead of the version number.

Oh, how he yelled! How he accused me of slacking off instead of doing my job. How he ate crow when I let him finish and pointed it out to him.

Re:why cant they just release patches?

[Vitus+Wagner]

Because it makes it easy to keep track of wether you're vulnerable or not.

Especially it makes easy to track for everyone who send HEAD request to your server, because Apache dutifully report its version in the Server: header with default settings.

Re:why cant they just release patches?

[pairo]

You can easily turn that off.

Re:why cant they just release patches?

[rseuhs]

Because then we would be in the land of pain like all IIS-admins.

"Wait a minute, is version 4.07-SP2 with hotfixes 78302, 78748, and 79391 now safe from exploit 17293-B or not?"

The thought alone gives me the shivers.

Re:What ever

[pairo]

Cough.

Re:Freshmeat Sidebar

say no more

No...

[Goonie]

So Knuth is the only open source developer to write his own code and thats freakish?

That's not what I meant at all. What I meant was by the comment that Knuth is a "freak" that Knuth is a freakishly talented individual. And, yes, Knuth's situation is pretty unique, even for open source developers. Not only does he have tenure (that means they can't sack him), because of his reputation he's able to spend his time doing pretty much whatever he wants to do free of the restrictions on ordinary academics, like that little thing, "teaching", or sweating over whether he's going to get published. So he could hack away at TeX as and when the mood took him, without any pressure from his boss to actually produce anything, or any users badgering him for a new release, or figuring out how the other developers had screwed up, or trying to implement broken bits of the standard (because there *was* no standard).

They are *not* the typical circumstances under which most developers have to work.

Re:No...

[martin_b1sh0p]

Apparently his code does have bugs from time to time:

From http://www.tug.org/whatis.html
Donald Knuth, a professor of computer science at Stanford University and the author of numerous books on computer science and the TeX composition system, rewards the first finder of each typo or computer program bug with a check based on the source and the age of the bug. Since his books go into numerous editions, he does have a chance to correct errors. Typos and other errors in books typically yield $2.56 each once a book is in print (pre-publication "bounty-hunter" photocopy editions are priced at $.25 per), and program bugs rise by powers of 2 each year from $1.28 or so to a maximum of $327.68. Knuth's name is so valued that very few of his checks - even the largest ones - are actually cashed, but instead framed. (Barbara Beeton states that her small collection has been worth far more in bragging rights than any equivalent cash in hand. She's also somewhat biased, being Knuth's official entomologist for the TeX system, but informal surveys of past check recipients have shown that this holds overwhelmingly for nearly everyone but starving students.) This probably won't be true for just anyone, but the relatively small expense can yield a very worthwhile improvement in accuracy.

Re:No...

If you read the earlier posts in this thread, the point was that any new bugs haven't been found in yeras. Not that his software was completely bug-free.

On and off topic

[WinterpegCanuck]

Back at my old ISP before the big Telus bought us out, we had both IIS and apache servers. the apache servers hummed steadily in the corner, pumping out pages like nobodies business while the IIS took so much maintenance and work, we ended up creating a script to just reboot the things every few days.

. . . and speaking of pour websites, one of our old customers (I had to try and answer his question in a professional way as to why people weren't coming to his website) designing-websites.com although he has gotten a lot better than what it was before

Windows 3.1 anyone '?.

[Gopal.V]

> From now on, we will only install software on the servers that is at version 2.0 and above

Hmm.. let this guy install Windows 3.1 on the servers (apparently that *is* > 2.0)

Hmm.. maybe I wonder if Knuth did a good thing by freezing TeX at 3.14 (or was it 3.14.15...)

apache 1-3-31 on debian testing

ok, for a newbie, what are my options? I'm trying to stick with the apache deb packages so that I can use synaptic to update with, instead of tracking everything manually, which I still can't understand how people can do this.

I'm using testing in my sources file, hoping to ride sarge into stable. I did an update, and it still shows apache at 1-3-31. I added unstable to the sources file, and it still shows apache at 1-3-31.

So what am I supposed to do, either disable apache, or get the tarballs and compile 1-3-33 myself, and lose the ability to update via apt? Or is there a patch to look for, where I can temporarily patch 1-3-31 until 1-3-33 makes it into testing or unstable?

Also, I saw a post recently where the security repository wasn't set up for testing yet, even though testing was getting the attention of the security team now because it is so close to being stable. In the post, it stated that there was some sort of trouble with the security repository setup.

I assumed that the testing repository themselves were where the security team addressed problems, by bringing out new deb packages of the applications. I'm assuming this is wrong now, because of what I read in the /. post I mentioned above. Can someone clear up my confusion, should I be looking for a security repository for testing? Is there one for stable, and when sarge goes stable, will I be using a security repository that is separate from the us/non-us/contrib repositories?

I've been avoiding exposing a server to the internet for months over this issue. I've been using an appliance firewall to expose port 80 and the ntp port only, and blocking all other ports, since I'm having trouble with iptables, and don't want to expose a service due to the security issue above. I've taken some steps to harden the server, using docs I downloaded, but debian still gives me some trouble since an installed service automatically loads and runs, and for example I can't figure out how to make a service listen internally only (but that's another subject, and partially solved only recently).

Just some guidance/advice on a few of the questions at the top would be really appreciated. Not a total newbie, ran apache on suse for about 3 years without a problem.

Re:apache 1-3-31 on debian testing

[Vitus+Wagner]

Debian people prefer to fix the bugs without updating to new upstream version whenever possible.

I suppose that apache_1.3.31-7 package would soon hit the repository and it would have this bug fixed

Re:apache 1-3-31 on debian testing

As a newishbie sys admin, what is the best policy in this situation, hiding apache behind a firewall or shutting it down till the fixed debian version hits the repository, or risk waiting for it to hit without shutting down?

For an experienced admin, what would he do (assuming that "he wouldn't be running testing" isn't the answer), would an experienced admin spend the morning looking for and installing a source version of apache that's patched until the deb version comes out, would he remove the server from the internet while that is being done, and skip breakfast or lunch until it is done, or wait a day or two to see if the new version hits the testing repositories, or simply wait, without protecting the server, until it hits the repositories, after deciding there is unlikely to be a working compromise until the update hits the repositories?

I'd just like to understand what is the thought process and procedure in this exact situation, for someone running a service on debian, as I think this is applicable to other exposed services as well (with of course different circumstances in each case). Thanks!

Re:apache 1-3-31 on debian testing

[DerelictMan]

As a newishbie sys admin, what is the best policy in this situation, hiding apache behind a firewall or shutting it down till the fixed debian version hits the repository, or risk waiting for it to hit without shutting down?

Do the following:

• Check the Debian changelog (zless /usr/share/doc/apache/changelog.Debian.gz). Frequently fixes are backported but the version number isn't necessarily bumped. One of the vulnerabilities fixed in Apache 1.3.33 (CAN-2004-0492) has already been backported to Sarge in version 1.3.31-2.
• Assess the risk to your installation. The other vulnerability (CAN-2004-0940) requires local access AND requires that mod_include be installed. If I'm not mistaken, mod_include is not enabled by default in Sarge. If you don't have untrusted local users or you're not using mod_include you don't have to worry.

Re:What ever

Heh - the default runtime engine for Apache 2 is the prefork model, which definitely isn't multithreaded ;-)

"visionary of the year" award

[Cl1mh4224rd]

Apparently those visions included lots of shifting colors...

Try phpBB

I'll have to chime in and join the speculation that the problem lies with CF. I didn't even know CF would run under Apache.

Try installing phpBB, it's free, and moderately pretty by default. The only hitch would be migrating your existing user accounts. If you have their passwords in plaintext, just examine phpBB's registration code, and write a script to insert your existing users into phpBB's database.

I have phpBB running on a site with about 8,000 users that gets 1500+ posts a day. Works great and it's free!

Re:What ever

How is that FUD? Inaccurate maybe. But the functionality is there, if only by a different name.

Parent deserves insightful.

It's both sad and funny, but I'm (a VP) finding the exact same trouble, with a CEO not understanding of any software without commercial support. No problem - I've got underemployeed friends who know postgresql, and sure enough by re-labeling it XYZ-corp-postgresql and a contract to update when upgrades come out, and to forward requests between the company to&from developers on the mailinglist when/if other problems occur, everyone was happy.

Nothing sneaky was done - the CEO still knows it's open source - but now he has a phone number to call and can drag someone to his office.

Rather than laugh, I'd say go for it. If your friend owns a suit and prints a nice business card it could be win/win for everyone.

Content-Length in mod_proxy

[morten+poulsen]

It is worth noting that the Content-Length security problem is in mod_proxy, not in the main daemon.

See CAN-2004-0492 for details.

In other news....

[abdulwahid]

Kernel developers today released the eagerly awaited linux kernel 1.2.14. Everyone should update to this latest version as soon as possible to make use of the security fixes that this update provides.

Re:In other news....

[dramatools]

Heh.... Unlike the 1.2 kernel tree, Apache 1.3.x is still in common use today, though people are gradually moving to 2.0.x. Apache 1.3 is much like the famed McDonnell Douglas DC-9-- old, but reliable and productive. The Apache Foundation should be commended for continuing to support the 1.3 base as long as they have. Certainly it beats Microsoft's answer to Windows 98's problems-- selling the user a copy of Windows XP.

Re:What ever

[bustersnyvel]

www.apache.org - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:17:14 GMT
Server: Apache/2.0.52 (Unix) ....

www.redhat.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:05 GMT
Server: Apache ...

www.cnn.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:45 GMT
Server: Apache

www.cnet.com - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:08 GMT
Server: Apache/2.0

www.bbc.co.uk - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:38 GMT
Server: Apache/2.0.51 (Unix)

us2.php.net - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:20:01 GMT
Server: Apache/2.0.46 (Unix) mod_perl/1.99_09 Perl/v5.8.0 mod_ssl/2.0.46 OpenSSL/0.9.6g DAV/2 FrontPage/5.0.2.2634 PHP/4.3.2 mod_gzip/2.0.26.1a

I guess a lot of people use Apache 2!

I feel safe.

[Highpriest]

There was a security flaw with an integer variable field? Hrm. I feel really safe knowing they are making mistakes programming global variables, heh.

Re:What ever

[aaron.rowe]

That doesn't mean the security patches are not applied.

Don't forget that even Debian Stable is using Apache 1.3.26 yet the security updates are backported to that version by the glorious debian community shortly after the announcements from Apache foundation.

Re:What ever

[prator]

I'm using mod_dav with Apache 1.

-prator

Back to /. roots?

[FudgePackinJesus]

I really hope that, with this post, this is a hint of things to come at /.

I really think that overall feel of slashdot has changed and not necessarily for the better. I'd really like to see kernel releases, Gnome & KDE flamewars, Quickies, obscure language write-ups and everything else that made /. special in the past make it to the front page again. Instead we're getting game reviews, movie reviews and politics. Sounds more like a mainstream news source now, doesn't it?

The buzz of the open source world fell flat the last couple of years. I really hope it wasn't because of the market crash and that the core of the excitement wasn't the dream of cashing out by installing linux everywhere.

Open source, I think most people still don't realize, is the source of true power in speech in this day and age. If it wasn't for projects like Linux, Apache, MySQL, PHP/Perl/Python, etc. the web would be dominated by large corporations who would be the only ones capable of paying the large sums of cash for web-service software that would have no doubt been that most expensive software out if not for the free-as-in-beer-speech competition. Open source bestowed the average man a voice in the newest of media channels.

I truely hope the energy & excitement due to that fact never leaves... especially here on Slashdot. The editors shouldn't let the tagline "News for Nerds. Stuff that matters." limit the vibe /. gave off before because, at the end of the day, that's all it is. A tagline.

Re:Back to /. roots?

[74nova]

I'd really like to see ... Gnome & KDE flamewars

there arent gnome and kde flame wars anymore because we kde zealots won.


easy there boys, its a joke

Re:Back to /. roots?

[FuzzyBad-Mofo]

there arent gnome and kde flame wars anymore because we kde zealots won.

Like hell, KDE is the suxxor!

:p

Re:Back to /. roots?

[solios]

Don't forget the DOOD CHECK OUT MY SCHWEET BLOG ENTRY posts. Or the ads-masquerading-as-posts posts.

This used to be a nice "tip of the iceberg" place- it's where I got my feet wet with regards to linux. While the front page content is more buzzword/ad/blog centric than I care for, hey- there's filtering.

Fuck, I don't even know if Katz still posts columns or not. I got so sick of that shit that he's the only thing I locked out of my FP prefs.

So /. is getting better with age in at least one respect.

Future thought

[SirLestat]

I can't wait for release 1.3.37

Re:Future thought

I have a feeling that that's the only reason keeping the 1.3 branch alive.

qmail has bugs

[richdawe]

qmail has bugs, just no bugs that affect security. But they are bugs nonetheless.

One bug is to do with insufficient checking of a counter, so it wraps at 2GB. The worst case here is that the program crashes, I believe. I don't think it is exploitable.

Another bug is a crash on parsing a slightly weird .qmail file. I can't remember the exact details of that.

Then there are various other things that you could consider bugs. qmail doesn't comply with the current Internet standards. If you restrict bugs to mean "doesn't function as originally designed", then these are not bugs. But I think they would be considered bugs by most people, since they affect qmail's interaction with other mail software.

Windows update of apache?

[Ash-Fox]

Hmm, I can't seem to find the updated windows version.

Re:What ever

Unfortunately a few of the mods plugins are having problems with that "great" threading model.

Re:What ever

Sure, Apache2 has some great threading engines. However you can't use them with php, so if you have a php site, you'll be running the prefork-mpm anyway (and thats what most (all?) distros are shipping by default afaik).

Advice.

[Bill,+Shooter+of+Bul]

I'm not trying to troll, but many people make this mistake. Next time you think about migrating to a product, visit the products website to research what the latest production release is and look at a product roadmap to see if it would be worth wile to wait until a newer version becomes availiable. Then after you have done all of the research, you can present your findings to your higher ups in a manner that allows them to make an informed choice. That works wonders.

Re:What ever

[Draco_es]

Why is multi-threading faster than the pre-fork model of Apache 1? Because there is less work to do when context-switching threads. A thread shares the same virtual address space with other threads in the process. Changing virtual address spaces is slow because it requires a TLB flush (as well as one or more extra registers to save).

Not every architecture requires a hardware a TLB flush. Some of them (like ia64, I think) maintain a tag called ASID (Address Space IDentifier) so TLB entries can be shared by different processes which share memory pages. Anyway, I always thought that the real performance and scalability benefit between using processes or threads was on task creation and destruction and not on task switching. I'm not saying that a TLB flush on a context switch is negigible but by itself probably is not so important. Could you give any pointers on this?

Re:What ever

[avel599]

Ah, so that's why sites that use the Sourceforge web service have been so slow lately.

8-)

Re:And... tsarkon reports WHITE POWER

sidestepping points like "genocide" with:

Trains, planes, cars, rockets, telescopes, tires, telephones, radios, television, electricity, atomic energy, computers, and fax machines. All miracles made possible by the minds and spirits of men with names like Ampere, Bell, Caselli, Edison, Ohm, Faraday, Einstein, Cohen, Teller, Shockley, Hertz, Marconi, Morse, Popov. Ford, Volta, Michelin, Dunlop, Watt, Diesel, Galileo, and other "dead white males."

is laughable.

You killed how many thousand people?? what have you to say for yourself?

We invented fax machines!

but I guess that was my question, what makes you proud to be white.

It CAN be done

One other good example is the Space Shuttle's Accent software. And some other software (key word "some") used in the aerospace industry. In the case of the shuttle they spent LOTs of time revieing it so much so that productivity was on the order of only a very few lines of code per programmer per month. something like three or four lines. They also had to write thier own compiler and system software and verify that line by line as well. On top of that review-heavy method they contracted to two companies to write the code independently twice and they were not allowed to communicate. Both codes are run at the same time and the output is compared bit by bit. Writing perfect code means hireing a few comittees of experts to sppend years in review, debate and discuss every space and comma on a work the size of a novel. It's darn expensive. I work in that industry but I'm sure glad I get to develope and not do verification work, I'd go nuts.

Just as an example. I'd get a little form that had been signed off by a review committee that describbed some small change in the way some part inside a missle would work. I'd have to design a change and show it to my boss. But the boss woud only look at it after I'd had it reviewd by one other engineer. Boss OKs design. I write code, show it to one other engineer then to boss. Then I get to present it in a conference room on a projector to a room full of people who will grill you over every line. Almost always I'd have to change something then repeate the process. Along with the code I'd also have to prevent a "test plan" in the conference room and the pllan would need approval too.. Much of my time was taken up either presenting my stuff or sitting in the room watchinge other engineer present thier stuff. I would do the first levle of test on my stuff but we had a test group that would do more formal verification.

Re:What ever

[myg]

Yes, there is DAV support for Apache 1, but its not quite as stable or flexible as the DAV engine in Apache 2.

I'm not 100% sure but I suspect it isn't really all that supported anymore.

Re:What ever

[myg]

I'm not sure about IA-64 but yeah some processors are better at context switching than others. Threads are faster to create and do tend to take up a bit less RAM for page tables as well. Thats a good thing when you have several thousand simultaneous requests going on.

The down-side to threads is, as some posters have pointed out that a few modules (PHP comes to mind) aren't thread safe. I don't really use PHP nor do I like the language enough to bother with it.

But of the things I do use they all seem to be very happy with threads. And for Win32 users the threading model is pretty much their only model.

Re:What ever

[Nevyn]

First off, it handles multi-threading much better meaning that very heavy workloads require less CPU time[*]

Well that's hard given that apache-1.3.x doesn't use threading at all. Of course all the Linux distributions still ship with the "old" pre-fork method, because it's just as fast on Liunux ... and much safer, reliable and compatible.

[*] Why is multi-threading faster ... Changing virtual address spaces is slow because it requires a TLB flush

Doing a task switch, even without a TBL flush, is still much slower than not doing a task switch at all. Using two servers, apache for dynamic content and a fast one for static content is fairly common ... and much faster than apache 2.0.x.

And you are sacraficing a huge amount of reliability for that small TLB "improvement", then of course you have to take into account the extra locking needed in the threaded app. and the SMP cache invalidation traffic when you alter hot objects etc. Of course I'm sure you've measured all this ... not.

Re:And... tsarkon reports WHITE POWER

If you are a nigger, you chop clitoris and sold your own brothers into slavery. If you are a nigger, you gang bang in the hood. If you are a chink, you cultural revolutionized and murdered thousands under MAo in the 60's. If you are a Jap you murdered uncountable people in Nanjing. If you are a Gook, Kim Jong Il and Kim Sun Il murdered millions and starved many more, if you are Islamic, your religion murdered more than any weapons or anything in human history.

We the white people have been battling heathens like you forever. We here in America have taken the best, even if they are nigger kind, and made them make us better. Now you animals are coming here and invading us.

You are pathetic. You use the internet the WHITE MAN invented to piss on me the WHITE AMERICAN, I am an angel on earth compared to you. YOU ARE dirty, brown disgusting. You are worthless and your kind pollutes the gene pool and makes us less likely to live as a species.

You will be punished by the WHITE MAN when we get sick of you. We will not let you use anything we invent will be our punsishment. Then you rot in nigger hell.

Re:And... tsarkon reports WHITE POWER

Your talking as though the internet is a thing.

Your just as much an anonymous coward as the rest of us.

Get off your horse and stop blowing hot air.

Stupid hairless monkey!

Apache Security Documentation

[mrkitty]

http://www.cgisecurity.com/webservers/apache

Re:What ever

[Megaweapon]

I think it has been out long enough to bang out the bugs. Even though 1.3.x is still being patched I think A2 is ready for prime time. We're close to implementing it in our shop in a production environment.

We *NEED* 4 more bugfixes, though!

Or when will we get up to Apache 1.3.37?

Re:apache 1-3-31 on debian testing Thank you

Your answer is very much appreciated, exactly the type of answer I was looking for.

Thanks again.

No.

[Tony-A]

As a rule, any program of reasonable complexity has bugs.
A possible exception exists for programs written by Knuth.

What is freakish is that Knuth is the only person with the ability and determination and discipline required to write a program without bugs.

Me I'd find some other term than "freakish", like phenominal, but the critical distinction is the same.

Re:What ever

[l3v1]

I just could not notice having become troll for that comment. Oh well, whatever you want guys. Thing is, I'm using Apache 1 and 2 versions on some linux and windows machines, some out on the web, some for local development, whatever. There are also some folks I know, who run linux and windows servers for db and web serving, 1&2 apache's mixed. But every commited one of them (which I am not, not having an admin job, and I wouldn't ever want one) never considered exposing an A2 server out to the large scale public (just remember A2 and PHP thread problems, module migration problems - maybe these or not such a problem anymore, the shadows still lurk). Call them (or me) freaking FUD spreaders, it's just our way.

So we're the bad guys, stupid guys, whatever (like I care), and we're not worth talking about Apache, we poor schmucks. But you guys, who raise A2 into the clouds of Olympus, you rock, 'cause you know the truth.

For the typo: well, that's still just me.

DONKEY PUNCHED BY DIRTY SANCHEZ!

Yes, you have just been Donkey Punched by the legendary Dirty Sanchez. Revel in the luxury of knowing that the company you keep is small, and often dead.

Re:What ever

Using Fedora Core 2 is the dumbest decision I've seen in a while.

Why they didn't go with more robust server-oriented Linux distro is beyond me.

For example, if they wanted RPM-based distro, they could use Centos 3.3 which is basically a free version of RedHat Enterprise (Advanced Server 3).

Another good choice is Debian. Even Debian testing (sarge) would be more reliable than Fedora Core as a server and it would have all the latest apps.

support

[torrents]

does anybody know off hand how long they will contunue to support apache 1.x

first post!

[Comrade_X]

omg I got first post!

Re:first post!

I'm a girl that's pregnant you sexy man :)

Re:first post!

[josmum]

you will soon know the secret phallus.

Re:first post!

[Comrade_X]

Is that GNAA?

Re:And... tsarkon reports WHITE POWER

Such anger! Get a life dude

Re:What ever

TLB flushes are not as expensive as you think. What is expensive is switching the entire process context. This reloads the entire hardware state and switches page tables, which may or may not cause a TLB flush depending on your architecture. Hardware state may include FPU, SIMD, debug registers and other things that are expensive to save and reload. You also have to switch the priviledged mode stack and maintain twice as much overhead memory for page tables, as well as imposing locking overhead in the kernel scheduler.

User threads can switch without even entering the kernel; kernel threads can have a lighter weight thread switch that optimizes away much of the process context switch.

An efficient server model may mix the two and use processes for SMP scalability, and threads or non-blocking state machines for request servicing.

That is why Apache 2.x models are much better than Apache 1.X.