Re: mod_wasm: Contributing Upstream to Apache
Hi: Can I be unsubscribed from this list? Have sent previous messages following all the instructions on this page but to no avail: https://httpd.apache.org/userslist.html. Best, Dan On Fri, Jan 27, 2023 at 11:36 AM Jesús González wrote: > Thanks Joe. You are correct, this initial implementation is the simplest > one to get it off the ground. We plan to continue development and add the > streaming functionality, which we know we will need for things like large > PDF file generation or support for Proxy-Wasm. > > > > Yes, isolating language runtimes (PHP, Python, ...) per thread is a cool > feature that enables new possibilities like simultaneously supporting > multiple versions of PHP as well as better multi-tenancy (you will be able > to keep user's code and assets separate from each other using Wasm built-in > isolation mechanism). > > > > Regarding apreq, right now we have not had a need to use it as we pass > most of the headers and body to the runtimes themselves as the language > runtimes code for handling requests, etc. takes care of it as part of the > CGI implementation, etc. As we look to add different functionality (i.e. > extending Apache itself) we will probably provide access to it from Wasm. > > > > > > *De: *Joe Schaefer > *Responder a: *"dev@httpd.apache.org" > *Fecha: *jueves, 26 de enero de 2023, 5:17 > *Para: *"dev@httpd.apache.org" > *Asunto: *Re: mod_wasm: Contributing Upstream to Apache > > > > Still, the idea is wicked cool if mod_wasm really can isolate the Python, > PHP, etc targets onto individual POSIX threads. > > > > Very exciting stuff for HTTP/2 Webapps. >
Re: Changing the httpd security process
Wait isn't Mark Cox the guy currently under investigation by MI5 for something something hacking on behalf of the Ministry of State Security for the PRC? Something to do with subverting encryption globally. That's partially why Huawei donated so much to OpenSSL, they get the 0 days seven days in advance. Something to do with this: https://www.openssl.org/blog/blog/2020/05/12/security-prenotifications/ "include the option of us giving prenotification to companies with which we have a commercial relationship" Whitehurst and Cormier are aware of this as the American FBI talked to them last week. On Mon, Aug 17, 2020 at 8:06 AM Mark J. Cox wrote: > > > This roughly reverts the httpd process to what we used prior to > adopting > > > > the Tomcat-esque policy for the whole ASF. We would have to document > > > > this and possibly need it approved by the ASF security team. > > > > > > Not sure if we need to have it approved, but at least we should discuss > with the ASF security team. > > > > https://s.apache.org/cveprocess allows projects to deviate from the > default policy with "review" from the ASF security team. So once you have > agreement have the PMC present the proposed policy. > > > > This is not an uncommon plan, outside of ASF projects such as OpenSSL have > similar policies where lower severity issues (low/moderate) are committed > as security fixes prior to and independently of releases. Dealing with > security issues in private is a pain in both the process and getting the > right fix with limited reviewers. It's worth that pain when the issue is > an actual risk to users, less so for the low risk issues. > > > > Mark > >
Re: please care and vote for Chinese people under cruel autocracy of CCP, great thanks!
Ant: Thank you very much for your courage. All: The CCP is not communist. If they were that would be fine. They are a totalitarian government of incredible horror. They also control over 20% of the world's population with technology orders of magnitude more powerful than what existed during the regimes of the last century. For years they've shored up their finances via organ harvesting. The ultimate purpose of the muslim camps in Xinjiang <https://www.cnn.com/2019/01/18/asia/uyghur-china-detention-center-intl/index.html> is to harvest the organs of over 2 million people, and to generate nearly 1 trillion dollars in revenue before the Chinese bubble finally bursts, taking the rest of the world's economy along with it. These organs include those from children, whose organs are particularly valuable due to their healthy condition, and the fact that children often need multiple organ transplants compared to adults before their body accepts it. For context it was the development of ECMO technology <https://www.ncbi.nlm.nih.gov/pubmed/26987689> over the last few years that made this harvesting extremely powerful. Best, Dan Ehrlich San Antonio, TX https://linkedin.com/in/danehrlich On Thu, Aug 29, 2019 at 12:05 AM ant_fighter wrote: > Hi all, > Sorry for disturbing you guys. Though I don't think here as a proper place > to do this, I need your help, your vote, your holy vote, for us Chinese, > for conscience and justice, for better world. > > In the over 70 years of ruling over China, the Chinese Communist Party has > done many horrible things humans can think of. These malicious and evil > deeds include but are not limited to: falsifying national history, > suppression of freedom of speech and press, money laundering in the scale > of trillions, live organ harvesting, sexual harassment and assault to > underaged females, slaughtering innocent citizens with > counter-revolutionary excuses, etc. > > In light of the recent violent actions to Hong Kongers by the People's > Liberation Army (PLA) disguised as Hong Kong Police Force, we the people > petition to officially recognize the Chinese Communist Party as a terrorist > organization. > PLEASE SIGNUP and VOTE for us: > > https://petitions.whitehouse.gov/petition/call-official-recognition-chinese-communist-party-terrorist-organization > > Thanks again for all! > > nameless, an ant fighter > 2019.8.29 >
Re: ApacheCon call for presentations, httpd content
I would like to give a presentation on hardening / security if possible. I realize this is broad and a little simple for a conference, but the last extensive Apache Security Book was in 2009. It is in no way ready yet and I am extremely self-conscious, but some possible topics that I have written about here and there and could combine: - set many many HTTP security headers (there are 9 you can do in Chrome now) - an updated SSLCipherSuite list - the importance of using ECDHE keys when possible - how to properly structure your /var/www folder regarding static content, executables, uploads, and downloads. - Using both a reverse proxy firewall along with outbound exfilitration scanning with ModSecurity - GeoIP Blocking with the new MaxMind API within Apache2 - followsymlinks danger and how to remediate - other things - any suggestions ppl have or areas they suggest I research :) > On May 8, 2019, at 12:55 PM, jean-frederic clere wrote: > >> On 04/05/2019 11:53, Stefan Eissing wrote: >> Am 02.05.2019 um 16:39 schrieb Daniel Ruggeri : Personally, I'd like to see a presentation on using mod_md, and perhaps something on the benefits of, and use of, http2 in httpd? >> >> If anyone wants to present about that and has questions, I'm happy to help. >> >> -Stefan >> > > What about HTTP/3 there is https://github.com/ngtcp2/nghttp3, do you > plan to work on it? > > I have a mod_proxy for tomcat, http/2 or 3 for tomcat, I can do a > mod_md/ let's encrypt one for httpd (someone else will do the tomcat one) > > -- > Cheers > > Jean-Frederic
