httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <>
Subject Re: So, where do we stand?
Date Wed, 02 Aug 1995 23:45:04 GMT
> Now, in response to Andrew...

Woo, that's me!

>    Date: Wed, 2 Aug 95 22:33:53 BST
>    From: Andrew Wilson <>
>    If there's a possible security flaw introduced as a result of rogue
>    permissions on the scoreboard file then that should really be fixed before
>    things go any further.  ( Zeroable file causing fork bombing perhaps).
> This is an trivial fix... I could easily respin 0.8.6 tonight to
> include it, and this might well be a good idea.

Ok +1 for the fix.

>    If the server eats dogfood on account of Joe Random Web-admin's setting
>    a configuration value too low ( RobH's MAX servers << HARD_SERVER_MAX )
>    then I could live with that provided the conf files carried a stong notice
>    to the effect of 'DONT PRESS THIS BUTTON'.  Ideally of course the server
>    should just NEVER let itself get into that position in the first place.
> Could you and Rob discuss this off-line?  He has vehemently argued
> that he wants to be able to screw himself in precisely this fashion.
> (WRT MaxClients, the strong notice you ask for is present already).

He's a big boy, he can hack the server some if he really wants to play
about with MAX setting.  Anyway he might learn something useful for future
releases.  My concern is only that people shouldn't accidently be able to
trash their server.  If they recompile a kludge then that's their problem.

I guess this means things are ok.

>    Whatever, it sound's like RobH for one has got a real rat's nest on his
>    hands.  It'd be nice to know things were clear for his HP's before
>    proceeding.
> The question is whether there's something which is preventing the
> scoreboard mechanism from working AT ALL on the HP's.  Worse come to
> worst, I could try this myself after hours with the HPs downstairs
> (though that's a bit more difficult now); the question is whether the
> scoreboard mechanism works at all --- which should be an easy test;
> set MaxClients to some reasonable value, set MaxSpareServers low,
> bombard it with requests, and see if the server pool dies back when
> the pummeling is over.  Rob?
>    Mm, all this aside, Apache just keeps getting better and better.  Yummy.
> Sigh... I've put a whole lot of work into it myself, and I would like
> it to have a larger audience than the members of this mailing list,
> but unless we release it (or if we unreasonably delay releasing it),
> that won't happen.

I think we all appreciate the work you've been  doing recently and I'm happy
to have contributed a little, albeit with a few innane suggestions.  You are
of course at liberty to release whatever you want, to whoever you want,
whenever you want.  We all are in this respect since the damned thing's
public property. ;)

However, wanting to release something doesn't make it less likely to be
flawed.  Apache's a complex system now, with a very few elements that might
benefit from a more thorough test.  The bigger the system gets the more
testing it needs and so the more the time that is needed before a release.
Getting frustated by the wait is all a part of this.

> If it's worth showing off, let's show it off.  If it isn't, let's
> quit.

You don't want to quit do you?  Nope, I didn't think so.  So show it off.
I'm happy with the server now.  I wouldn't mind it being released.

> rst

     Andrew Wilson	     URL:
Elsevier Science, Oxford   Office: +44 01865 843155    Mobile: +44 0589 616144

View raw message