Slashdot Mirror
Apache May Stop 1.3, 2.0 Series Releases
Dan Jones writes "The Apache Software Foundation may stop releasing new versions of the older 1.3 and 2.0 series of its flagship Web server product with most development now focused on the 2.2 series. Nothing is final yet, but messages to the Apache httpd developer mailing list recommend the formal deprecation of the 1.3.x branch, with most citing a lack of development activity. The Apache HTTP server project is one of the most successful and popular open source projects and has become an integral part of the technology stack for thousands of Web and SaaS applications. The first generation of Apache was released in 1995, and the 2.0 series began in 2002. Apache httpd 2.2 began in 2005, with the latest release (October 2009) being 2.2.14. However, the most recent releases of the 1.3 and 2.0 series servers were back in January 2008. With the combined total of active 1.3 and 2.0 series Apache Web servers well into the millions, any decision to end-of-life either product will be watched closely."
Surly this is just a formality. If there have not been updates for two years they are pretty-much dead projects anyway. Conversely if you have been running on an old system for two years without problems then its likely to be pretty stable, so you can just stick with it on the understanding that there will be no fixes or enhancements.
...Apache 1.3.x is dying
of course, tons of servers still run the 1.3 and 2.0 branches
these people don't care if they're in active development - and almost all of them are running them because upgrading isn't worth it for their application.
all these people care about are security patches. as long as that keeps happening, depreciate them all you want
it's just like people running 2.2.x kernels on high uptime servers. they don't want new features - if they were willing to install a new version of something every time a new feature came out, they'd be running 2.6.x now anyway. but they'll keep using it as long as reliability and security fixes keep rolling out.
What kind of impact will this have on security patches for remaining security flaws (if any) for 1.3 and 2.0? TFA states that security updates would be provided by "some other means" but I'm not sure what those are.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
All kidding aside anybody with the skills and resources can now take over 1.3 and keep updating it. You can not really EOL a FOSS program if anybody wants to keep it alive. That being said there are other light weight web servers that can do what people are using 1.3 for. Now Apache 2.0 may be a bit harder to replace since the migration isn't automatic from what I hear.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Right. Upgrade to a modern HTTP server like Nginx http://www.nginx.net/ or Lighttpd, you won't regret it.
And if for some reason you really need Apache 1.3.x, this code is maintained by OpenBSD and an enhanced version is shipped with the OS.
{{.sig}}
Putting closure on a software product is important.
Professional software usually has an EOL schedule. For example, RedHat Enterprise Linux and Windows XP both have EOLs for early 2014. This allows people using the software to plan upgrades and know when they need to be making a transition.
This is equally as important for open-source software. It looks really bad when this is not done. For example, Dan Bernstein's DjbDNS software package has three unpatched security holes. People using this software have to know about these holes and apply third-party patches.
In addition, when the maker of an open-source program says "OK, I'm done with this program.", it allows maintainers to step forward and take over the project. For example, when I announced I would no longer work on a Doom random map generator I had been hacking on for a while, someone expressed interest in maintaining the software, and subsequent updates have since been done.
I think the Apache foundation should either say "OK, we'll still fix security bugs on this program" or "We're no longer maintaining this release". This way, the users of these programs know whether to upgrade, form their own group applying security patches, or just know they're OK from a security prospective if they're current.
I have blogged about putting closure on open-source projects and have well defined EOL dates for older releases of my own MaraDNS.
A lot of open-source projects just languish when the developers lose interest; I feel this is irresponsible and feel EOL dates and putting closure is important.
MaraDNS is an open-source DNS server.
I looked into using Nginx earlier last year for reverse proxy and load balancing, and I have to say that I abandoned it due to the poor documentation - it was insanely hard to get any actual information on settings and configuration beyond sample rules.
Supporting Apache 1.3 is like Microsoft supporting Windows 98. Apache 1.x is almost 15 years and Apache 2.x has been out for 10 years. People have had plenty of time to upgrade. It's time to move on.
I found the Lighttpd documentation quite good. It was certainly easier to set up (for me) than Apache. The simple vhosts mechanism is great; just create a new directory (or symlink) for each vhost. No need to edit the configuration files.
I am TheRaven on Soylent News
Although 1.3 certainly has a smaller memory footprint without some features I don't need, I usually try to get the best from both worlds. For my applications, I normally use the latest apache, and leverage its memory usage by using any of the following:
Not all of them are required in every application, but if it starts to grow, staying with just apache isn't normally a good solution.
There's no way I can subscribe to the notion that Apache developers (or anyone, really) has an ethical obligation to keep maintaining a 10 year old codebase with any kind of implied guarantee. If there was a contract in place requiring that, then sure; but there isn't such a thing here.
Any people using Apache 1.3 should have really see this coming, and there's absolutely no excuse not to. It's the standard way of doing things in this industry, and if anything, the term was already waaay longer than is common.
Furthermore, the options are also fairly obvious:
1. Upgrade your environment to 2.2 (or pay someone to do so for you and accept responsibility).
2. Keep maintaining 1.3 on your own (or pay someone to do so for you and accept responsibility).
3. Migrate to a different server (or pay... you get the idea).
Now you also say that:
they dont have the funds or possibility to upgrade by themselves
to which I can only reply, "too bad, they should have engaged their brains at some point in the past - they had 10 years to do so". If they're screwed, they have absolutely no-one to blame by themselves.
Of course, in reality, when they realize that the FOSS white knight in shining armor won't save their ass by keeping to provide them quality software for free this time, you can bet the funds will suddenly be found. Furthermore, I suspect that vast majority of those people would actually go with option #1, and just upgrade to 2.2 (and also learn their lesson to keep up with the update curve to a reasonable extent to minimize "late upgrade" expenses).
Or maybe, if there are really that many 1.3 users who absolutely won't move to 2.2, and each one has so little money they can't pay anyone to get them to move to anything else, either (where are they hosting? in the basement?), then, well, the beauty of FOSS is that they can also come together, form some sort of non-profit funded by all of them - with minimal amount of contribution from each - that would hire people to fork and maintain 1.3 for the benefit of all.
Or maybe they can just donate to OpenBSD.
In any case, if people "don't have the means or resources" (which ultimately means "money") to do their business, then they shouldn't stay in that business - it really is as simple as that.