Slashdot Mirror
Apache May Stop 1.3, 2.0 Series Releases
Dan Jones writes "The Apache Software Foundation may stop releasing new versions of the older 1.3 and 2.0 series of its flagship Web server product with most development now focused on the 2.2 series. Nothing is final yet, but messages to the Apache httpd developer mailing list recommend the formal deprecation of the 1.3.x branch, with most citing a lack of development activity. The Apache HTTP server project is one of the most successful and popular open source projects and has become an integral part of the technology stack for thousands of Web and SaaS applications. The first generation of Apache was released in 1995, and the 2.0 series began in 2002. Apache httpd 2.2 began in 2005, with the latest release (October 2009) being 2.2.14. However, the most recent releases of the 1.3 and 2.0 series servers were back in January 2008. With the combined total of active 1.3 and 2.0 series Apache Web servers well into the millions, any decision to end-of-life either product will be watched closely."
Surly this is just a formality. If there have not been updates for two years they are pretty-much dead projects anyway. Conversely if you have been running on an old system for two years without problems then its likely to be pretty stable, so you can just stick with it on the understanding that there will be no fixes or enhancements.
...Apache 1.3.x is dying
Time to upgrade, this isn't 1995 anymore.
of course, tons of servers still run the 1.3 and 2.0 branches
these people don't care if they're in active development - and almost all of them are running them because upgrading isn't worth it for their application.
all these people care about are security patches. as long as that keeps happening, depreciate them all you want
it's just like people running 2.2.x kernels on high uptime servers. they don't want new features - if they were willing to install a new version of something every time a new feature came out, they'd be running 2.6.x now anyway. but they'll keep using it as long as reliability and security fixes keep rolling out.
What kind of impact will this have on security patches for remaining security flaws (if any) for 1.3 and 2.0? TFA states that security updates would be provided by "some other means" but I'm not sure what those are.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
All kidding aside anybody with the skills and resources can now take over 1.3 and keep updating it. You can not really EOL a FOSS program if anybody wants to keep it alive. That being said there are other light weight web servers that can do what people are using 1.3 for. Now Apache 2.0 may be a bit harder to replace since the migration isn't automatic from what I hear.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Putting closure on a software product is important.
Professional software usually has an EOL schedule. For example, RedHat Enterprise Linux and Windows XP both have EOLs for early 2014. This allows people using the software to plan upgrades and know when they need to be making a transition.
This is equally as important for open-source software. It looks really bad when this is not done. For example, Dan Bernstein's DjbDNS software package has three unpatched security holes. People using this software have to know about these holes and apply third-party patches.
In addition, when the maker of an open-source program says "OK, I'm done with this program.", it allows maintainers to step forward and take over the project. For example, when I announced I would no longer work on a Doom random map generator I had been hacking on for a while, someone expressed interest in maintaining the software, and subsequent updates have since been done.
I think the Apache foundation should either say "OK, we'll still fix security bugs on this program" or "We're no longer maintaining this release". This way, the users of these programs know whether to upgrade, form their own group applying security patches, or just know they're OK from a security prospective if they're current.
I have blogged about putting closure on open-source projects and have well defined EOL dates for older releases of my own MaraDNS.
A lot of open-source projects just languish when the developers lose interest; I feel this is irresponsible and feel EOL dates and putting closure is important.
MaraDNS is an open-source DNS server.
Supporting Apache 1.3 is like Microsoft supporting Windows 98. Apache 1.x is almost 15 years and Apache 2.x has been out for 10 years. People have had plenty of time to upgrade. It's time to move on.
mod parent up
how does the statement "We will stop releasing new versions of version 1.3 and 2.0 and continue to release new versions of version 2.2" make sense?
Have we abandoned the straightforward Arrow of Versionity?
Apache 2.x has never been a credible replacement for Apache 1.3 unless you happen to be using Microsoft Windows. Apache 1.3 is stable and does what people want, how difficult is it to maintain really? Are Microsoft paying the Apache Foundation, or are they just about to surrender the web server market on a voluntary basis? It'll take me a few weeks to upgrade every server and port rewrite rules to nginx, or we can easily maintain a fork of 1.3.
*shrug*
I make thorough use of it on many platforms, for the reasons that it has a notably smaller memory footprint, runs swifter, and is a bit more manageable than both of the 2.x branches. I recognize the extended, native feature set of the 2.x branches; but I simply don't need any of them; they are not apt replacements for what 1.3 offers. I also recognize the problem with the 1.3 branch not quite receiving the attention it could do with regarding updates (although 1.3.41 has no known security issues at the moment), but I still prefer 1.3 over the 2.x branches. Eventually stagnation of 1.3 will force me to move to 2.2, but I will wait patiently. THTTPD is not a good substitute today.
Apache should keep hosting basic pages for the old series with at least LINKS to where the projects have moved to be maintained. Sourceforge for example or OpenBSD.
The realistic measure should be USAGE not how much development activity there is on the last branch. Bug fixes may be few and years between when the software becomes rock solid. "Perfect" software (unobtainable) would never need patching outside of changes in the abstraction layer with the OS (ignoring compiler issues) but under this line of thinking --- actively debugged software is "alive" and the more bugs and unfinished features plaguing coders the better.
The reality is that if you have a program that does its job well and has been made stable and secure - WHY SHOULD IT BE UPGRADED? other than changes to port it to new systems (those needs should diminish with time as well) and maybe a few bug fixes.
I'm not advocating supporting old versions; however, I think its foolish to judge 'finished' projects as dead and useless - they should at least host the code and/or link to somebody who is willing to maintain it.
Democracy Now! - uncensored, anti-establishment news
The last install I did of Solaris 10 included Apache 2.0 (.58, IIRC), so there are still new installations going in with 2.0. Since Sun started shipping Apache with the OS, we tend to use it rather than create our own packages or use the Sun freeware versions - theoretically, Sun will support the OS supplied version (never needed support on it, so couldn't say).
I believe the cooltools versions use 2.2, but not sure if the latest 10 releases include it as standard.
Our production estate includes everything from 1.3 up.
Sigs are so 1990s. No way would I be seen dead with one.
sorry.
im in web hosting and web development business, and i can easily say that majority of the web still runs on 1.3. innumerable scripts, modules, software were coded for 1.3, and there are innumerable websites that still need those stuff. even the clients which start with newer versions are sometimes having to go back to 1.3 because they need some module or software that is uncommon but vital in their line of business.
'obsolete','old','development ceased','not supported' etc do not count. this is about business. small businesses and individuals, who constitute the majority of the web dont have the funds or time to get all their setups ported to a wholly new webserver. they just wont. because they cant. its just like the xp -> vista -> 7 thing, but much more serious in that, they dont have the funds or possibility to upgrade by themselves.
2.0 didnt get hold at all in the broad web. there are 'edgy' people using it, and edgy web hosts offering it, but majority of the hosts just offer 1.3 because of the software support for it. just like windows and its broad software support base.
this is a practical issue. people wont just roll over to 2.0 or 2.2 just because smart programmers made them, and they work better. there are more pragmatic issues at stake here. if you dont take backwards compatibility into FULL account, people wont use your new version and just go with the old. as long as there are charitable people (in or outside the apache developer base) that fixes any security issues that are found out, they will just stay on 1.3. this WONT be good for either apache, or open source software in general.
i implore you, please do not be elitist or self righteous and try to force anything on the people. for, this is 'the people', leave aside not liking being forced (and hating self righteous behavior), this time they dont have the means and resources to do what they are forced either.
remember, software didnt build the web - people did it.
Read radical news here
If you have to do a lot of reverse proxying then you might want to check out Varnish. It performs much better than squid, but it only works for reverse-proxy.
As per http://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x/README the proposal (Full disclosure: I'm colm@apache.org - the proposer), was that we would start distributing security patches via; http://www.apache.org/dist/httpd/patches/
Thanks, colmmacc.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
The Apache HTTP server project is one of the most successful and popular open source projects
One of them? Is there any other OS project that even comes close to Apache's impact?
I'm still using httpd v1.0 pre-alpha -- are you telling me I'm not going to get future updates now?
// but seriously, I migrated my servers from 1.3 to 2.0 and then to 2.2 and it's no biggy. In fact, it gets better when you migrate up.
anybody with the skills and resources can now take over 1.3 and keep updating it.
And who, exactly, has these resources? This is not something a few hackers can take over and keep maintaining in their spare time. A project this size needs project management, QA resources, bandwidth, and a lot of developer hours.
Apache has done well because it has a robust well-funded organization behind it. That organization exists because a lot of people need Apache to prosper in order to prosper themselves. Yeah, if some of these supporters want to keep 1.3 alive, they can start a new organization for that purpose. But they won't, because it would cost big bucks, and there's no business model to make it worth their while.
All significant OS projects work this way. The common notion that a big software project is alive as long as the source code is available is laughable to anybody who's actually participated in such a project.
wrong, it is irresponsible of *YOU* to use software which is not activity patched and maintained. Pretty easy to not commit that sin if you stay with high-level distro's maintained packages. But otherwise it's on your head. No one has to maintain software you like just because you wish they would.
Simple solution: sit down when you pee
High-level distros EOL software all the time, based upon the project's design goals. They maintain builds, they do not develop the solution. Clearly, Debian has 5 levels of distribution structure and anyone running a 2.2 kernel Debian knew long ago that it was not going to be actively maintained whereas the 2.6.current branch is obviously being patched and changes moved upstream to the Kernel trunk.
the obligation is not ethical. its practical.
logical words, rationalizations, and even being right wont change the matter.
the success of a project, and ultimately open source depends on people using it. if the people and businesses using it are left out in the cold like piles of crap, by a major project, even only once, the opinion against open source will change. and the masses which were using that software will switch to other providers. very probably closed source proprietory software, because at least the companies will seem more reliable than open source by that point.
this, that or those do not matter. this is a matter of pragmatism and practicality. it doesnt matter zit whether you are right in ANY of your points. this is a matter of brutal pragmatism. if you fail them, masses will leave you. and you can only shove your project up hobbyists' asses at that point.
this is the mechanic which made microsoft come out far ahead of other competitors in early 90s. masses' usage. lose it, you lose everything.
its sad to see a lot of self-righteous and elitist responses being posted to grandparent. it shows how remote from brutal reality some of you people are. however it was not unexpected.
Read radical news here