httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject [STATUS] (apache-1.3) Wed Mar 4 23:45:34 EST 1998
Date Thu, 05 Mar 1998 04:45:35 GMT
Apache 1.3 STATUS:

Release:

    2.0  : In pre-alpha development
	    see: <http://www.arctic.org/~dgaudet/apache/2.0/process-model>
    1.3b6: in development
    1.3b5: Tagged APACHE_1_3b5 and released
    1.3b4: Internal version... not tagged or released.
    1.3b3: Released and announced
    1.3b1: There is no 1.3b1

Current Modes:

    o Commit-Then-Review (see <http://dev.apache.org/guidelines.html#ctr>

Plan:

Showstoppers:

Committed Code Changes:
    * Dean's `const'-change to os_is_path_absolute().
    * Security patch for "UserDir /abspath" without a * in the path. PR#1701
    * Dean's cleanup of race conditions in Unix child_main
    * Dean's fixes for better handling of various errors from select() and
      accept() in child_main(). PR#1747, 1107, 588, 1787, 987, 588
    * Dean's add of -lm to LIBS for HPUX. PR#1639
    * Ralf's remove of obsolete "dist.tar" target from Makefile.tmpl
    * Dean's fixes for some inconsistencies in <Files> semantics. PR#1817
    * Dean's <Files> is not permitted within <Location>. PR#379
    * Dean's and Martin's fix of </Files> 
    * Fix for mod_mime_magic error messages. PR#1827
    * Workaround for using RLIMIT_AS for the RLimitMEM directive. PR#1816
    * Doug's patch to bind a process to a single processor under AIX
    * Martin's patch for mod_info to fix HTML markup
    * Martin's changes to the check_cmd_context() function 
    * Patch for the ap_cpystrn() off-by-1 error
    * Dean's fix for multiple UserDir problem introduced during 1.3b4-dev.
    * Dean's fix to problems with absoluteURIs.
    * Dean's patch to use SA_RESETHAND or SA_ONESHOT for coredump handlers.
    * Patch to recognize FreeBSD versions. PR#1450
    * Workaround in mod_status for NeXT's running not m68k chips
    * Fix for -X situation to honor the SIGINT or SIGQUIT signals
    * Patch to hide Proxy-Authorization from CGI/SSI/etc
    * Ralf's new ProxyPassReverse directive for mod_proxy
    * Ralf's add of new RewriteMap types: rnd and int. PR#1631
    * Fix regex handling for mod_setenvif BrowserMatch command. PR#1825
    * Ralf's fix for assumptions on the username characters in mod_rewrite
    * Paul's merge of os/win32/mod_dll.c into modules/standard/mod_so.c
    * Paul's patch for reading the server-root from the NT registry
    * Ralf's fix for locking of `RewriteMap' programs. PR#1029
    * Dean's fix for the `config with no Port setting' situation
    * Ralf's fix for `RewriteMap' program handling. PR#1431
    * Ralf's fix for the initialization of RewriteLogLevel. PR#1325
    * Ralf's mod_rewrite meta-construct expansion inconsistency fix
    * Martin's new URI parsing stuff (the source module main/util_uri.c)
    * New `%a' construct for LogFormat and CustomLog. PR#1885
    * Ralf's `Rule HIDE' feature for hiding the symbol namespace
    * Make \\ behave as expected.
    * Fix for "poly" directive in image maps. PR#1771
    * Reduce memory usage, and speed up ServerAlias support. PR#1531
    * Dean's cleanup of code in http_vhost.c and vhost-stuff in mod_rewrite.c
    * Dean's rewrite of absoluteURI handling vhost matching
    * Dean's new mod_test_util_uri.c 
    * back out USE_PTHREAD_SERIALIZED_ACCEPT for solaris
    * Ken's abstraction of SERVER_{BUILT,VERSION}
    * Ken's fix for os/unix/os.h and the new -DHIDE functionality
    * Ralf's Config File Line Continuation
    * Ralf's Reanimation of DBM support for RewriteMap in mod_rewrite
    * Ralf's fix for the `<VirtualHost> w/o mod_rewrite' situation. PR#1790
    * Mark's fix for ProxyPass/ProxyRequests interaction broken by uri stuff

Available Patches:

    * M.D.Parker's [PATCH] mod_status/1448: Status Information have version
	<Pine.LNX.3.95dg3.971121113953.29532D-100000@twinlark.arctic.org>
	Status: Dean +1, Martin +0 (duplicates /server-info?server),
		Alexei -1 (shared lib concerns)

Concepts:

    * Ralf's [CONTRIB] AutoConf Interface Emulation
        <199803020729.IAA20122@en1.engelschall.com>
        (idea: GNU-style {configure,Makefile.tmpl} replaces existing 
        but incomplete {Makefile,src/helpers/InstallApache}) 
        Status: Ralf +1   (for 1.3.0 because either now or better never to
                           avoid confusion later in the release cycle)
                Jim +1    (for 1.3.1 on concept)
                Jim -1    (for 1.3.0 because too late)
                Randy -1  (too late for 1.3 in general)
                Ken -1    (for 1.3.0 in general)

    * Dean's [PRE-PATCH] expanding ap_snprintf()
	<Pine.LNX.3.95dg3.971023233600.4431I-100000@twinlark.arctic.org>
	Status: Dean +1, Ben +1, Jim 0, Martin 0, Brian +1(?), Ken +1
	See <Pine.LNX.3.95dg3.971024175935.25347U-100000@twinlark.arctic.org>
	for a more up-to-date idea (int vformatter) that has a
	vote of +1 from Dean, Ben, Martin, Paul, Jim, and Ken for concept

In progress:

    * Dean's [PATCH] yet another slow function
        <Pine.LNX.3.95dg3.980106142612.1054W-100000@twinlark.arctic.org>
	Status: Dean +1, Jim +1, Martin +1, Paul +1
	Needs to be redone so that it better supports non-ascii hosts.

    * Ken's IndexFormat enhancement to mod_autoindex to allow
      CustomLog-like tailoring of directory listing formats

Needs patch:

    * Dean's "locale" project
	See <Pine.LNX.3.95dg3.971219001345.7010F-100000@twinlark.arctic.org>
    
    * os_ abstract is_only_below() in mod_include.c

    * proxy security fixes from 1.2.5 need to be brought forward

    * Documentation for:
      1) htdocs/manual/sourcereorg.html and other files should mention 
         new mod_so capabilities.
      2) windows.html should be cleaned up.

    * uri issues (dean will do unless someone else wants 'em):
	- RFC2068 requires a server to recognize its own IP addr(s) in dot
	notation, we do this fine if the user follows the dns-caveats
	documentation... we should handle it in the case the user doesn't ever
	supply a dot-notation address.

Closed issues:

    * Removal of inetd mode
	Ken says he'll try to maintain it, since there are
	people/places who need it

    * The decision has been made to experiment with allowing code
      changes to be committed without prior review.

    * Guidelines for commit-then-review are documented at
      <http://dev.apache.org/guidelines.html#ctr>

    * The "apache" CVS module has been renamed to "apache-1.2" and the
      "apachen" module to "apache-1.3".  "apache-1.3" has been copied
      to "apache-2.0", but whether that's appropriate or not is
      under discussion.  A couple of people want that module to
      start empty rather than full of 1.3's stuff.

Open issues:

    * Provide consistant prefixes; suggestions:

      Apache provided general functions (e.g., ap_cpystrn)
	ap_xxx: Ken +1, Brian +1, Ralf +1, Martin +1

      Public API functions (e.g., palloc)
	apapi_xxx: Ken +1, Brian +1, Ralf +1, Martin +1
	appublic_xxx:
	appub_xxx:

      Private functions which we can't make static
      but should be (e.g., new_connection)
	apprivate_xxx:
	appri_xxx: Brian +1
	httpd_xxx: Ken +1
	apint_xxx: Ralf +1 (int = internal)

    * Ken's [POLL] apachen/patches directory
      Shall we experiment with allowing patches to be distributed for
      voting through cvs, by creating a directory under the source tree
      and putting them there?  Please vote.
	<34B8EE39.43F32BE0@Golux.Com>
	Status: Ken +1, Randy 0, Dean 0, Jim +1, Paul 0, Martin +1, Ralf 0

    * Paul would like to see a 'gdbm' option because he uses
      it a lot. Dean notes that 'gdbm' include 'db' support
      so we need to watch the library ordering.

	Dean notes:  Check rev 1.72 -> rev 1.73 of
	src/Configuration.tmpl.  I re-ordered mod_auth_dbm and
	mod_auth_db at this time, and I'm pretty sure it was to
	deal with this issue.  But I think I still ran into
	troubles if I automatically looked for gdbm.

    * What do we call the binary: apache or httpd? Under UNIX
      it's httpd, under Win32 it's apache. Maybe rename it
      to apache-httpd?
	apache-httpd: Ken +1
        leave it apache: Brian +1, Ralf +1

    * Maybe a http_paths.h file? See
	<Pine.BSF.3.95q.971209222046.25627D-100000@valis.worldgate.com>
	Dean +1, Brian +1

    * Release builds: Should we provide Configuration or not?
      Should we 'make all suexec' in src/support?
	Ken +1 (possible suexec path issue, though)
        Brian +1

    * root's environment is inherited by the Apache server. Jim, Ken &
      Dean thinks we should recommend using 'env' to build the
      appropriate environment. Marc and Alexei don't see any
      big deal. Martin says that not every "env" has a -u flag.

    * 206 vs. 200 issue on Content-Length
	See <Pine.BSF.3.95q.971102000930.5555B-100000@valis.worldgate.com>
	Roy says current behavior is correct, but Alexei disagrees.
	Marc sides with Alexei.

    * Marc's socket options like source routing (kill them?)
	Marc, Dean, Martin say Yes

    * Marc's [BUG] include virtual and SCRIPT_NAME w/path_info
	<Pine.BSF.3.95.970928122038.21692C-100000@alive.znep.com>

    * Ken's PR#1053: an error when accessing a negotiated document
      explicitly names the variant selected.  Should it do so, or should
      the base input name be referenced?

Win32 specific issues:

 Open issues:

    * Should ApacheCore.dll be merged back into the main server
      image?  May make debugging easier..

 In progress:

    * Ben's ASP work... All agree it sounds cool.

    * DDA's adding a tray application to the Windoze version for ease of
      status/management.
	<01BCDB29.2C04DEB0@caravan.individual.com>
	<01BCDB2A.F8C09010@caravan.individual.com>
	Status: Ken +1, Sameer +1, Martin +1, Ben +1 (as long as
	we get a single executable)
	Paul: No like Win95 specific stuff
	Ken: What's W95-specific about it?

 Help:

    * process/thread model
	- need dynamic thread creation/destruction, similar to 
	  Unix process model
	- can't use WaitForMultipleObjects in the same way we
	  do now, since that has a limit of 64(!) objects.  Grr.
	  PR#1665

    * some errors printed by CGIs to stderr don't end up making it
      to the server log unless an extra debugging message is added
      after they run? (PR#1725 indicates this may not be just Win32)

    * bad use of chdir in some places; it isn't thread-specific

    * handle bugs that make it pop up errors on console, ie. segv 
      equiv?  Can we do this?  Need to make it robust.

    * install
	- make installshield work
	- config in cvs tree?
	- install docs, etc.?
	- location for install

    * signal type handling
    	- how to rotate logs from command line?

    * the mutex should be critical-regions, since the current design
      is creating a mess of SO calls that are unnecessary

    * we don't mmap on NT.  Use TransmitFile?

    * CGIs
        - hangs on multiple CGI execution?  PR#1607,1129
    	    Marc can't repeat...
	- docs on how they work w/scripts
	- use registry to find interpreter?
	- WTF is the buffering coming from?
	    - we don't have a way to make non-blocking files on NT!

    * performance

    * documentation:
	- running the server without admin
	- how CGIs work
	- update README.NT
	- short/long name handling
	- better status page on current state of NT for users

    * http_main.c hell
	- split into two files?

    * who should run the service?  Who exactly is the "system account"?

      docs say:

      Localsystem is a very privileged account locally, so you shouldn't run
      any shareware applications there. However, it has no network privileges
      and cannot leave the machine via any NT-secured mechanism, including
      file system, named pipes, DCOM, or secure RPC.

      and:

      A service that runs in the context of the LocalSystem account
      inherits the security context of the SCM. It is not associated with
      any logged-on user account and does not have credentials (domain
      name, user name, and password) to be used for verification. This
      has several implications: [... removed ...]


      That _really_ sucks.  Can we recommend running Apache as some 
      other user?


    * need a crypt() of some sort.
	- sources are easy; problem is export restrictions on DES
	- if we don't do DES, can do md5

    * modules that need to be made to work on win32
        - mod_example isn't multithreadreded
	- mod_unique_id (needs mt changes)
	- mod_auth_db.c  (do we want to even try this?  We should have some
          db of some sort... what else can we pick from under win32?)
	- mod_auth_dbm.c
	- mod_info.c (PR re exporting symbols for it...)
	- mod_log_agent.c
	- mod_log_referer.c
	- mod_mime_magic.c (needs access to mod_mime API stage...)

    * do something to disable bogus warnings

WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:

    * SECURITY: PR#1203 still needs to be dealt with for WIN32

    * SECURITY: check if the magic con/aux/nul/etc names do anything
	really bad

    * SECURITY: numerous uses of strcpy and strcat have potential
	for buffer overflow, someone should rewrite or verify
	they're safe

Mime
View raw message