httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@decus.org (Rodent of Unusual Size)
Subject Re: cvs commit: apache-1.3 STATUS
Date Fri, 08 May 1998 21:14:42 GMT
>That's nice.  They can use Apache however they want.  "using Apache" in
>some special way, however, _DOESN'T_ have anything to do with what
>should appear in the Server: string.  It is not for saying "we are cool dudes".
>It is not for saying "we have lots of special CGIs" or "we serve all
>content from netapps" or "we run lots of virtual hosts" or "we have really
>big config files".

    I don't think anyone here suggested anything even remotely similar
    to your apparently-facetious examples.  I certainly didn't.  I agree
    that it's not for frivolous stuff; I don't think anyone suggested it
    was.

>It is about the name of the webserver (ie. Apache) plus any large or
>significant components added to it.  You can not add a significant
>component without adding a module or hacking the source.

    Ah.  If someone's a source hacker, even if only to the extent of
    futzing with -DSERVER_SUBVERSION without doing anything else, that's
    cool?  Otherwise he's scum and has no right to touch the setting?
    :-)  Should we also get rid of SERVER_SUBVERSION?  After all,
    modules can use ap_add_version_component(), and source hackers can
    frob SERVER_BASEVERSION directly, so what point is there now to
    SERVER_SUBVERSION?  Of course, if they want to change something and
    hack at SERVER_BASEVERSION, there's a reasonable chance they'll
    throw out the "Apache/1.xxx" string altogether and substitute their
    own..

>                                     You can not add a significant
>component without adding a module or hacking the source.

    I can't think of a definite way, either - but I'm not so convinced
    of my omniscience that I'll speak in absolutes.  Someone always
    finds a way to upset assumptions.

    From RFC2068 on the subject:

>14.39 Server
>
>   The Server response-header field contains information about the
>   software used by the origin server to handle the request. The field
>   can contain multiple product tokens (section 3.8) and comments
>   identifying the server and any significant subproducts. The product
>   tokens are listed in order of their significance for identifying the
>   application.
>
>          Server         = "Server" ":" 1*( product | comment )
>
>   Example:
>
>          Server: CERN/3.0 libwww/2.17
>
>   If the response is being forwarded through a proxy, the proxy
>   application MUST NOT modify the Server response-header. Instead, it
>   SHOULD include a Via field (as described in section 14.44).
>
>     Note: Revealing the specific software version of the server may
>     allow the server machine to become more vulnerable to attacks
>     against software that is known to contain security holes. Server
>     implementers are encouraged to make this field a configurable
>     option.

    The 'this SHOULD be a configurable option' appears elsewhere, also,
    but I think the intent is that it be configurable OFF.

    The phrase I've been thinking about is 'software used to handle the
    request.'  I don't see that as being limited to httpd and its
    builtins.  I also don't think that we should be the final arbiters
    of what comprises a 'significant subproduct'.

    But Dean's vetoed it, so let's not waste any more time on this
    unless there's a significant number of requests for it - and Dean
    reconsiders. :-)

    #ken    P-)}

Mime
View raw message