Return-Path: Delivered-To: new-httpd-archive@hyperreal.org Received: (qmail 11323 invoked by uid 6000); 26 Mar 1998 04:47:40 -0000 Received: (qmail 11313 invoked from network); 26 Mar 1998 04:47:38 -0000 Received: from ns2.remulak.net (HELO Mail.Golux.Com) (coar@198.115.138.27) by taz.hyperreal.org with SMTP; 26 Mar 1998 04:47:38 -0000 Received: (from coar@localhost) by Mail.Golux.Com (8.8.5/8.8.5) id XAA16297; Wed, 25 Mar 1998 23:45:36 -0500 Date: Wed, 25 Mar 1998 23:45:36 -0500 Message-Id: <199803260445.XAA16297@Mail.Golux.Com> From: Rodent of Unusual Size To: Apache HTTP developers Subject: [STATUS] (apache-1.3) Wed Mar 25 23:45:34 EST 1998 X-Note: This is an automated message. Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org Apache 1.3 STATUS: Release: 2.0 : In pre-alpha development see: 1.3b6: in development 1.3b5: Tagged APACHE_1_3b5 and released 1.3b4: Internal version... not tagged or released. 1.3b3: Released and announced 1.3b1: There is no 1.3b1 Current Modes: o Commit-Then-Review (see Plan: Showstoppers: Committed Code Changes: * Dean's `const'-change to os_is_path_absolute(). * Security patch for "UserDir /abspath" without a * in the path. PR#1701 * Dean's cleanup of race conditions in Unix child_main * Dean's fixes for better handling of various errors from select() and accept() in child_main(). PR#1747, 1107, 588, 1787, 987, 588 * Dean's add of -lm to LIBS for HPUX. PR#1639 * Ralf's remove of obsolete "dist.tar" target from Makefile.tmpl * Dean's fixes for some inconsistencies in semantics. PR#1817 * Dean's is not permitted within . PR#379 * Dean's and Martin's fix of * Fix for mod_mime_magic error messages. PR#1827 * Workaround for using RLIMIT_AS for the RLimitMEM directive. PR#1816 * Doug's patch to bind a process to a single processor under AIX * Martin's patch for mod_info to fix HTML markup * Martin's changes to the check_cmd_context() function * Patch for the ap_cpystrn() off-by-1 error * Dean's fix for multiple UserDir problem introduced during 1.3b4-dev. * Dean's fix to problems with absoluteURIs. * Dean's patch to use SA_RESETHAND or SA_ONESHOT for coredump handlers. * Patch to recognize FreeBSD versions. PR#1450 * Workaround in mod_status for NeXT's running not m68k chips * Fix for -X situation to honor the SIGINT or SIGQUIT signals * Patch to hide Proxy-Authorization from CGI/SSI/etc * Ralf's new ProxyPassReverse directive for mod_proxy * Ralf's add of new RewriteMap types: rnd and int. PR#1631 * Fix regex handling for mod_setenvif BrowserMatch command. PR#1825 * Ralf's fix for assumptions on the username characters in mod_rewrite * Paul's merge of os/win32/mod_dll.c into modules/standard/mod_so.c * Paul's patch for reading the server-root from the NT registry * Ralf's fix for locking of `RewriteMap' programs. PR#1029 * Dean's fix for the `config with no Port setting' situation * Ralf's fix for `RewriteMap' program handling. PR#1431 * Ralf's fix for the initialization of RewriteLogLevel. PR#1325 * Ralf's mod_rewrite meta-construct expansion inconsistency fix * Martin's new URI parsing stuff (the source module main/util_uri.c) * New `%a' construct for LogFormat and CustomLog. PR#1885 * Ralf's `Rule HIDE' feature for hiding the symbol namespace * Make \\ behave as expected. * Fix for "poly" directive in image maps. PR#1771 * Reduce memory usage, and speed up ServerAlias support. PR#1531 * Dean's cleanup of code in http_vhost.c and vhost-stuff in mod_rewrite.c * Dean's rewrite of absoluteURI handling vhost matching * Dean's new mod_test_util_uri.c * back out USE_PTHREAD_SERIALIZED_ACCEPT for solaris * Ken's abstraction of SERVER_{BUILT,VERSION} * Ken's fix for os/unix/os.h and the new -DHIDE functionality * Ralf's Config File Line Continuation * Ralf's Reanimation of DBM support for RewriteMap in mod_rewrite PR#1696 * Ralf's fix for the ` w/o mod_rewrite' situation. PR#1790 * Mark's fix for ProxyPass/ProxyRequests interaction broken by uri stuff * Rasmus' generation of the new src/include/ap_config.h header file * Dean's fix for mod_mime_magic and files with length 0 * Dean's change to Location and LocationMatch semantics. PR#1440 * Ralf's fix for the flock()<->fork() problematic for RewriteLock's * Dean's Minor cleanup in http_main * Ralf's Various improvements to the configuration and build support * Corrections to the setup of the REMOTE_HOST variable. PR#1925 * Fix for rputs() which did not calculate r->sent_bodyct properly. PR#1900 * Don't tweak TZ envvar if the user has specified an explicit one. PR#1888 * API clarification for command_rec handlers * API clarification for content_type et al * Ralf's mod_so changes to keep track of loaded modules ourself. * Ralf's support for building shared objects even for library-style modules * Performance improvements to invoke_handler(). * Ben Hyde's check to make sure the "Port" range is valid * Ralf's Unbundling mod_proxy and mod_mime (making mime_find_ct obsolete) * Jim's change of -DAUX to -DAUX3 for A/UX * Jim's src/include/ap_config.h wraps it's #define's with #ifndef/#endif's * Dean's Clean up of some undocumented behavior of mod_setenvif * Performance tweak to mod_log_config * Marc's cfg_getline() fix for lines without the termination char * Ralf's Various cleanups to the command line interface and manual pages * Marc's mod_proxy was not clearing the Proxy-Connection header * Dean's API_EXPORT and CORE_EXPORT cleanup for core functions * Ralf's new ApacheBench support program (src/support/ab.c) * Ken's change HIDE default to "yes", always include hide.h * Ralf's major Configure cleanup * Ralf's additional manual pages for the support programs * Ben Hyde's Configure check for unknown command switch * Martin's fix for src/helpers/fp2rp * Ralf's reanim. of undocum. directive: ProxyReceiveBufferSize, PR#1348 * Ralf's mod_proxy fix to use FTP SIZE response for Content-Length, PR#1183 * Ralf's change to make the shared object compilation command more portable * Dean's protect against FD_SETSIZE mismatches * Ralf's fallback stategy because of HIDE for loading shared object modules Available Patches: * Ken's slight reworking of the Apache LICENSE to clarify the restricted nature of usage of the name "Apache" in derived products Status: Ken +1, Paul +1, Ben +1, Jim +1, Randy +1, Roy +1, Chuck +1, MarkC +1, Ralf +1, Sameer +1 * Ralf's Apache 1.3 Autoconf-*style* Interface (APACI) ftp://ftp.apache.org/apache/dist/contrib/apaci/ What stuff does APACI contain? README Documentation with Examples (step 1) INSTALL Reference of Installation Options (step 2) configure The Autoconf-style configure script (step 3) Makefile.tmpl The Makefile controlling anything (step 4) aux/fmn.sh Auxilliary script: find module name aux/install.sh Auxilliary script: install program aux/mkdir.sh Auxilliary script: mkdir program aux/mkshadow.sh Auxilliary script: --shadow support aux/ppl.sh Auxilliary script: --help support Background: Currently Apache 1.3 has no real and flexible batch-configuration procedure and no real out-of-the-box installation procedure although the users expect one. At least the installation procedure is required. For Apache 2.0 we already want something similar to this, but this is too far away. Apache 1.3 will be out for a long time until Apache 2.0 is available and thus we should provide such a installation procedure. Idee: To fill this gap for Apache 1.3 APACI was written from scratch. The goal it addresses is an Autoconf-style(!) but _NOT_ Autoconf-based batch interface for out-of-the-box configuring, building and installing Apache 1.3 by providing a frontend(!) and _NOT_ a replacement to the (more proprietary) src/Configure+src/Configuration stuff while replacing the totally out-of-date and bogus apache-1.3/Makefile+apache-1.3/src/helpers/InstallApache files. In short for the impatient: $ cd apache-1.3 $ ./configure --prefix=PREFIX $ make $ make install $ PREFIX/sbin/apachectl start <<<<====== IMPORTANT! Hints: 1. Because APACI uses a frontend which is named "configure" and supports the Autoconf-style options (especially --prefix, etc.) we provide an interface the users expect and already know for years from the many GNU software packages. The fact that our APACI stuff is not really Autoconf-based(!) is not important here and totally hidden from the user. 2. The "make install" _really_ out-of-the-box installs Apache 1.3 without any user intervention. It does not only install Apache with a GNU-conforming (and thus not filesystem disturbing) installation layout. It additionally creates initial config files, including corresponding LoadModule lines for the built shared objects, etc. And it installs not only the core, it installs the shared objects files, the support programs, the manpages, the initial document root, etc. pp. 3. Because APACI also adjusts the paths in the support scripts and programs the user is able to _IMMEDIATELY_ fire up Apache after "make install" by just running "PREFIX/sbin/apachectl start". THIS IS VERY IMPORTANT, because it gives the first success event to the user. For a really good package the should love this is important. The features APACI actually provides in detail (summary): - runs 100% in batch - can control _any_ options of src/Configuration.tmpl file, including rules, shared object support, etc. - provides additional support for suEXEC, on-the-fly adding of modules, mod_perl, etc. - builds _and_ installs Apache out-of-the-box - user can _immediately_ run Apache the first time after "make install". Important for the first success even of the user!! - is as portable as src/Configure (no shell functions, etc.) - is well documented (README, INSTALL files plus comments) - supports both GNU-conforming installation layout and proprietary Apache installation layout (--compat) - no license conflicts because written from scratch Now for the inclusion of APACI you should remember: - The inclusion of APACI does _not_ change _anything_. - We can only gain from providing such an interface because our current top-level Makefile and src/helpers/InstallApache stuff is nothing more than a bad joke. - It only has one disadvantage for us: we are late in the release cycle and perhaps it causes a few new PRs in the future. But the advantage of having it should be more important. Because APACI is not what we developers want, it is what the users want! Don't forget this, please. We have two obvious ways for APACI to be comitted (each with its own advantage and disadvantage): CV1: The recommended-way commit: README apache-1.3/README.configure INSTALL apache-1.3/INSTALL configure apache-1.3/configure Makefile.tmpl apache-1.3/Makefile.tmpl aux/fmn.sh ==> apache-1.3/src/helpers/fmn.sh aux/install.sh apache-1.3/src/helpers/install.sh aux/mkdir.sh apache-1.3/src/helpers/mkdir.sh aux/mkshadow.sh apache-1.3/src/helpers/mkshadow.sh aux/ppl.sh apache-1.3/src/helpers/ppl.sh Advantages: - the user finds APACI easily because it stays where it is expected to stay: in the top-level - we show that its the official all-in-one interface for Joe Avarage and just have to add some hints to the INSTALL and README files on how to do a custom build the old way in src/. - the "make" process looks clear and obvious by displaying "==> src/xxxx" etc. Disadvantages: - we bristle the source tree a little bit with the APACI files CV2: The closed-area commit: README apache-1.3/apaci/README INSTALL apache-1.3/apaci/INSTALL configure apache-1.3/apaci/configure Makefile.tmpl apache-1.3/apaci/Makefile.tmpl aux/fmn.sh ==> apache-1.3/apaci/aux/fmn.sh aux/install.sh apache-1.3/apaci/aux/install.sh aux/mkdir.sh apache-1.3/apaci/aux/mkdir.sh aux/mkshadow.sh apache-1.3/apaci/aux/mkshadow.sh aux/ppl.sh apache-1.3/apaci/aux/ppl.sh Advantages: - we no not bristle the source tree with APACI files - we mark APACI as an alternative/official interface Disadvantages: - the user doesn't find APACI easily because "configure" is _ALWAYS_ searched at the top-level by the user. - the user is confused and thinks APACI is totally inofficial and thus doesn't use it (acceptance!) - the "make" process looks a little bit ugly because it then displays "==> ../src/xxxx" etc.. To now give a fair voting, either try APACI out by grabbing the distribution from ftp://ftp.apache.org/apache/dist/contrib/apaci/ or at least reading the examples in ftp://ftp.apache.org/apache/dist/contrib/apaci/README. You have time, don't hurry. PLEASE DO NOT QUICKLY VETO IT NOW JUST BECAUSE IT'S SUCH LATE IN THE RELEASE CYCLE. Please be really fair and decide if it is worth or not worth adding it by weighting on the advantages and disadvantages. Votes for including APACI (in general): Ralf +1, Dean +1 Votes for commit variants: CV1: Ralf +1, Dean +1 CV2: Ralf +0 Concepts: * Dean's [PRE-PATCH] expanding ap_snprintf() Status: Dean +1, Ben +1, Jim 0, Martin 0, Brian +1(?), Ken +1 See for a more up-to-date idea (int vformatter) that has a vote of +1 from Dean, Ben, Martin, Paul, Jim, and Ken for concept In progress: * Ken's IndexFormat enhancement to mod_autoindex to allow CustomLog-like tailoring of directory listing formats FINAL RELEASE SHOWSTOPPERS: * proxy security fixes from 1.2.5 need to be brought forward Needs patch: * Dean's "locale" project See * Documentation for: 1) htdocs/manual/sourcereorg.html and other files should mention new mod_so capabilities. 2) windows.html should be cleaned up. * uri issues (dean will do unless someone else wants 'em): - RFC2068 requires a server to recognize its own IP addr(s) in dot notation, we do this fine if the user follows the dns-caveats documentation... we should handle it in the case the user doesn't ever supply a dot-notation address. Closed issues: * Removal of inetd mode Ken says he'll try to maintain it, since there are people/places who need it * The decision has been made to experiment with allowing code changes to be committed without prior review. * Guidelines for commit-then-review are documented at * The "apache" CVS module has been renamed to "apache-1.2" and the "apachen" module to "apache-1.3". "apache-1.3" has been copied to "apache-2.0", but whether that's appropriate or not is under discussion. A couple of people want that module to start empty rather than full of 1.3's stuff. Open issues: * Provide consistant prefixes; suggestions: Apache provided general functions (e.g., ap_cpystrn) ap_xxx: Ken +1, Brian +1, Ralf +1, Martin +1, Paul +1 Public API functions (e.g., palloc) apapi_xxx: Ken +1, Brian +1, Ralf +1, Martin +1, Paul, Dean appublic_xxx: appub_xxx: Private functions which we can't make static but should be (e.g., new_connection) apprivate_xxx: appri_xxx: Brian +1, Dean httpd_xxx: Ken +1 apint_xxx: Ralf +1 (int = internal) * Ken's [POLL] apachen/patches directory Shall we experiment with allowing patches to be distributed for voting through cvs, by creating a directory under the source tree and putting them there? Please vote. <34B8EE39.43F32BE0@Golux.Com> Status: Ken +1, Randy 0, Dean 0, Jim +1, Paul 0, Martin +1, Ralf 0 * Paul would like to see a 'gdbm' option because he uses it a lot. Dean notes that 'gdbm' include 'db' support so we need to watch the library ordering. Dean notes: Check rev 1.72 -> rev 1.73 of src/Configuration.tmpl. I re-ordered mod_auth_dbm and mod_auth_db at this time, and I'm pretty sure it was to deal with this issue. But I think I still ran into troubles if I automatically looked for gdbm. * What do we call the binary: apache or httpd? Under UNIX it's httpd, under Win32 it's apache. Maybe rename it to apache-httpd? apache-httpd: Ken +1 leave it apache: Brian +1, Ralf +1 * Maybe a http_paths.h file? See Dean +1, Brian +1, Paul +1 * Release builds: Should we provide Configuration or not? Should we 'make all suexec' in src/support? Ken +1 (possible suexec path issue, though) Brian +1 * root's environment is inherited by the Apache server. Jim, Ken & Dean thinks we should recommend using 'env' to build the appropriate environment. Marc and Alexei don't see any big deal. Martin says that not every "env" has a -u flag. * 206 vs. 200 issue on Content-Length See Roy says current behavior is correct, but Alexei disagrees. Marc sides with Alexei. * Marc's socket options like source routing (kill them?) Marc, Dean, Martin say Yes * Marc's [BUG] include virtual and SCRIPT_NAME w/path_info Dean says: please put this in the bugdb * Ken's PR#1053: an error when accessing a negotiated document explicitly names the variant selected. Should it do so, or should the base input name be referenced? Dean says: doesn't seem important enough to be in the STATUS... it's probably a pain to fix. * Proposed API Changes: - r->content_language is for backwards compatibility... with modules that may not link any longer without some minor editing. The new field is r->content_languages. Heck it's not even mentioned in apache-devsite/mmn.txt when we got content_languages (note the s!). The proposal is to remove r->content_language: Status: Dean +1, Paul +1 - child_exit() is redundant, it can be implemented via cleanups. It is not "symmetric" in the sense that there is no exit API method to go along with the init() API method. There is no need for an exit method, there are already modules using cleanups to perform this (see mod_mmap_static, and mod_php3 for example). The proposal is to remove the child_exit() method and document cleanups as the method of handling this need. Status: Dean +1, Rasmus +1, Paul +1 Win32 specific issues: Open issues: * Should ApacheCore.dll be merged back into the main server image? May make debugging easier.. In progress: * Ben's ASP work... All agree it sounds cool. * DDA's adding a tray application to the Windoze version for ease of status/management. <01BCDB29.2C04DEB0@caravan.individual.com> <01BCDB2A.F8C09010@caravan.individual.com> Status: Ken +1, Sameer +1, Martin +1, Ben +1 (as long as we get a single executable) Paul: No like Win95 specific stuff Ken: What's W95-specific about it? Help: * process/thread model - need dynamic thread creation/destruction, similar to Unix process model - can't use WaitForMultipleObjects in the same way we do now, since that has a limit of 64(!) objects. Grr. PR#1665 * some errors printed by CGIs to stderr don't end up making it to the server log unless an extra debugging message is added after they run? (PR#1725 indicates this may not be just Win32) * bad use of chdir in some places; it isn't thread-specific * handle bugs that make it pop up errors on console, ie. segv equiv? Can we do this? Need to make it robust. * install - make installshield work - config in cvs tree? - install docs, etc.? - location for install * signal type handling - how to rotate logs from command line? * the mutex should be critical-regions, since the current design is creating a mess of SO calls that are unnecessary * we don't mmap on NT. Use TransmitFile? * CGIs - hangs on multiple CGI execution? PR#1607,1129 Marc can't repeat... - docs on how they work w/scripts - use registry to find interpreter? - WTF is the buffering coming from? - we don't have a way to make non-blocking files on NT! * performance * documentation: - running the server without admin - how CGIs work - update README.NT - short/long name handling - better status page on current state of NT for users * http_main.c hell - split into two files? * who should run the service? Who exactly is the "system account"? docs say: Localsystem is a very privileged account locally, so you shouldn't run any shareware applications there. However, it has no network privileges and cannot leave the machine via any NT-secured mechanism, including file system, named pipes, DCOM, or secure RPC. and: A service that runs in the context of the LocalSystem account inherits the security context of the SCM. It is not associated with any logged-on user account and does not have credentials (domain name, user name, and password) to be used for verification. This has several implications: [... removed ...] That _really_ sucks. Can we recommend running Apache as some other user? * need a crypt() of some sort. - sources are easy; problem is export restrictions on DES - if we don't do DES, can do md5 * modules that need to be made to work on win32 - mod_example isn't multithreadreded - mod_unique_id (needs mt changes) - mod_auth_db.c (do we want to even try this? We should have some db of some sort... what else can we pick from under win32?) - mod_auth_dbm.c - mod_info.c (PR re exporting symbols for it...) - mod_log_agent.c - mod_log_referer.c - mod_mime_magic.c (needs access to mod_mime API stage...) * do something to disable bogus warnings * rfc1413.c has static storage which won't work multithreaded * mod_include --> exec cgi, exec cmd, etc. don't work right. Looks like a code path that isn't run anywhere else that has something not quite right... A PR or two on it. WIN32 1.3 FINAL RELEASE SHOWSTOPPERS: * SECURITY: PR#1203 still needs to be dealt with for WIN32 * SECURITY: check if the magic con/aux/nul/etc names do anything really bad * SECURITY: numerous uses of strcpy and strcat have potential for buffer overflow, someone should rewrite or verify they're safe * SECURITY: os_ abstract is_only_below() in mod_include.c