>That's nice. They can use Apache however they want. "using Apache" in
>some special way, however, _DOESN'T_ have anything to do with what
>should appear in the Server: string. It is not for saying "we are cool dudes".
>It is not for saying "we have lots of special CGIs" or "we serve all
>content from netapps" or "we run lots of virtual hosts" or "we have really
>big config files".
I don't think anyone here suggested anything even remotely similar
to your apparently-facetious examples. I certainly didn't. I agree
that it's not for frivolous stuff; I don't think anyone suggested it
was.
>It is about the name of the webserver (ie. Apache) plus any large or
>significant components added to it. You can not add a significant
>component without adding a module or hacking the source.
Ah. If someone's a source hacker, even if only to the extent of
futzing with -DSERVER_SUBVERSION without doing anything else, that's
cool? Otherwise he's scum and has no right to touch the setting?
:-) Should we also get rid of SERVER_SUBVERSION? After all,
modules can use ap_add_version_component(), and source hackers can
frob SERVER_BASEVERSION directly, so what point is there now to
SERVER_SUBVERSION? Of course, if they want to change something and
hack at SERVER_BASEVERSION, there's a reasonable chance they'll
throw out the "Apache/1.xxx" string altogether and substitute their
own..
> You can not add a significant
>component without adding a module or hacking the source.
I can't think of a definite way, either - but I'm not so convinced
of my omniscience that I'll speak in absolutes. Someone always
finds a way to upset assumptions.
From RFC2068 on the subject:
>14.39 Server
>
> The Server response-header field contains information about the
> software used by the origin server to handle the request. The field
> can contain multiple product tokens (section 3.8) and comments
> identifying the server and any significant subproducts. The product
> tokens are listed in order of their significance for identifying the
> application.
>
> Server = "Server" ":" 1*( product | comment )
>
> Example:
>
> Server: CERN/3.0 libwww/2.17
>
> If the response is being forwarded through a proxy, the proxy
> application MUST NOT modify the Server response-header. Instead, it
> SHOULD include a Via field (as described in section 14.44).
>
> Note: Revealing the specific software version of the server may
> allow the server machine to become more vulnerable to attacks
> against software that is known to contain security holes. Server
> implementers are encouraged to make this field a configurable
> option.
The 'this SHOULD be a configurable option' appears elsewhere, also,
but I think the intent is that it be configurable OFF.
The phrase I've been thinking about is 'software used to handle the
request.' I don't see that as being limited to httpd and its
builtins. I also don't think that we should be the final arbiters
of what comprises a 'significant subproduct'.
But Dean's vetoed it, so let's not waste any more time on this
unless there's a significant number of requests for it - and Dean
reconsiders. :-)
#ken P-)}
|