On 5/28/21 9:45 AM, Stefan Eissing wrote:
>
>
>> Am 28.05.2021 um 03:42 schrieb William A Rowe Jr <wr...@rowe-clan.net>:
>>
>> On Thu, May 27, 2021, 07:52 Eric Covener <cove...@gmail.com> wrote:
>> On Thu, May 27, 2021 at 8:45 AM Rainer Jung <rainer.j...@kippdata.de> wrote:
>>
>>> is my understanding correct, that even httpd trunk (and then also 2.4.x)
>>> needs LDAP support in APR/APU to build mod_ldap and mod_authnz_ldap?
>>>
>>> So since we removed LDAP support from APR trunk, that means those
>>> modules currently can not be build using APR trunk, neither in httpd
>>> trunk nor in httpd 2.4.x. Correct?
>>
>> I think this is correct. This was a pretty heated/sore issue to my
>> recollection. Only the removal got done.
>>
>> That's nearly correct.
>>
>> The port to ap_ namespace was composed and committed to httpd trunk, by
>> myself. And in the heat of the argument, vetoed by the obvious party, so I
>> reasonably promptly reverted that, without a few minor tweaks that were
>> still necessary across various platforms or httpd build scenarios.
>>
>> But you can find nearly all the necessary work on httpd trunk history, if
>> there's a desire to ressurect the ability for httpd to survive an apr 2
>> release. It didn't matter for PCRE, so I don't know that it is a priority.
>>
>> Any discussion w.r.t. apr project belongs at that project, if there's a
>> desire to cause some action there. Based on observations of the huge scale
>> of Curl vulnerabilities (which hit us for mod_md, because that is libcurl,
>> as opposed to serf or something straightforward as the letsenrypt client),
>> and on some additional thoughts shared on apr about further modularizing and
>> disconnecting the each-and-every-facility from core apr+util, that would be
>> an interesting discussion to have. But it might have even more additional
>> resistance based on today's security postures, based on dependencies of
>> dependencies security history.
>
> When serf has reached some documentation level comparable to curl, I will
> have a look. I encapsulated the curl dependency in mod_md quite well and it
> should be easy to provide an alternate implementation to someone who is able
> to understand serf. I hope I do not give the impression that I would stop
> anyone from adding this.
>
> Back to the beef:
>
> Do I understand this correctly that we have a divergence in features between
> APR and AP with APR2 losing support for something AP uses (LDAP) and AP not
> willing/able/no time to add this to its code base?
The first step of this discussion is where such support belongs. On APR side
two things popped up back then:
1. The LDAP support was incomplete as you can see by the fact that you need to
deal with LDAP library details within httpd.
2. There was some discussion if there was sufficient support by the APR
community for LDAP support and especially for the
needed work that evolves LDAP in APR to get to a complete support.
Furthermore there were different opinions on the value
of LDAP support in APR given that httpd seem to be the only consumer of this
feature.
As there is quite some overlap between the APR and httpd community, some people
who are on both communities and who thought that
this belongs to APR vetoed an import of the code from APR into httpd. On the
other side the code was removed from APR trunk. As
APR 2.0 is not released, LDAP support remained in APR-UTIL 1.x and even httpd
trunk still works with APR-UTIL 1.x the topic stayed
at this state as in practice LDAP support is still there.
As said this all happened about 10 years ago and I might remember single things
wrongly. For more gory details I can only point to
the list archives of httpd and APR.
With regards to moving this forward: It still needs to be decided where this
support belongs and who will do the needed work in
the respective community to make it reality.
My personal view is that I like to see this in APR just like the DBD and Crypto
stuff, but as I have no time to offer to make
something happen I keep myself calm in this discussion.
Regards
RĂ¼diger