> From: Leif W [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 10, 2005 3:10 PM [...] > It's already a huge list of workaround and compatibility and portability for > an admin could be a nightmare. I do not know if there are even more security > wrappers needed for other language modules. Can anyone add to the list some > things which might commonly be used in concert? Is there any "direction" > given > from "the top" of the Apache group in regards to what gets attention?
No, there is not. The committers are free to work on what they want. > In the message on the suPHP list, it is implied that there is in general a > mentality that security is not a priority Given the way we handle security issues I don't think this remark will hold water. > (at least regarding setuid per request as perchild MPM would like to do), Apparently there are a lot of people with the itch, but nobody scratching it. > only competing with MS/IIS. Not even that. I mean, it's fun to watch our marketshare rise every month, but that's not what the ASF is all about. > I'm not implying anything, I don't know what to believe, so that's why I ask. > I'm just trying to understand where the breakdown is. A feature that people > want, the lack of which spawns a sloppy slew of incompatible workarounds, but > no one around to respond and code it or fix what's available. Well, we are volunteers you know ;). I'm sure you could find someone to work on perchild on a contract basis, making your itch (one of) the developers itch. Or even an external party who would submit patches. > The strength of Apache was always *nix, so why abandon security on *nix for > the sake of portability to Windows? There's more to it than just portability to Windows. > It's the natural impression given by first glance of the timeline of events, > not an accusation. Or is it just coincidence that someone (or many people) > lost interest in perchild and there's been noone to pick up the slack, Correct. > and other people just happened to want to increase portability to windows? Portability in general. But this is all contained in the APR project, on top of which httpd-2.x is built. Also people worked on a lot of other things during last year. Just look at the Changelog, the commit messages etc, to see what I mean. > I mean, I like having a windows port, because I can at least practice using > Apache somewhat, and it expands the development platform, but I won't ever, > ever, EVER run it on Windows in production, simply because I'd never run > Windows in production. Not all administrators are in a position where they can refuse to run Windows. > Except insofar as to show Windows users a shining example of free software, > and offer the idea of using an entire OS filled with shining examples of free > software engineering. > ;-) Toungue in cheek of course, with the ugly little problems such as this > code abandonment of vital features at the back of my mind. Well, what is vital depends on context. Apparently it isn't as vital, since 2.x is certainly used without this vital mpm. Agreed, it would be very nice to see perchild development picked up again. Or metux integrated in the main distro (it'd need review and all that, and ofcourse desire from the metux developers to do so). For me personally, it isn't a big enough itch to start scratching it. Proxy and caching are a lot higher on my personal agenda. As are some other features I still am desperately seeking the time for to work on. > I don't mean to > start an OS flame war, so please don't respond with that in mind. :-) If > other > people would like to use Windows, it takes nothing away from me, I'm just > stating opinion based on my own interaction and experience with Apache, Win, > and > *nix (Linux & FreeBSD). The problem is that you drag in the *nix vs Windows argument. Why do we need to bother with that at all? Sander
