httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars Eilebrecht <>
Subject STATUS!
Date Sat, 20 Mar 1999 15:29:09 GMT
  1.3 STATUS:
  Last modified at [$Date: 1999/03/20 15:25:29 $]


    1.3.5-dev: current.
      - Tarball tagging/rolling:  March 20. Saturday (23.00 CET)
      - Release date:             March 22. Monday
      - Announcement:             March 23. Tuesday
      - Release manager:          Lars
      - Win32 release:            Paul

    1.3.4: Tagged and rolled on Jan. 9.  Released on 11th, announced on 12th.
    1.3.3: Tagged and rolled on Oct. 7.  Released on 9th, announced on 10th.
    1.3.2: Tagged and rolled on Sep. 21. Announced and released on 23rd.
    1.3.1: Tagged and rolled on July 19. Announced and released.
    1.3.0: Tagged and rolled on June 1.  Announced and released on the 6th.
    2.0  : In pre-alpha development, see apache-2.0 and apache-apr repository

Binaries (1.3.5):

 Platform                      Avail.  Volunteer
 alpha-dec-osf3.0              no      Sameer Parekh
 alpha-dec-osf4.0              no      Lars Eilebrecht
 arm-linux(Netwinder-ELF)      no      Rasmus Lerdorf
 hppa1.1-hp-hpux               no      Rob Hartill
 i386-slackware-linux(a.out)   no      Sameer Parekh
 i386-sun-solaris2.5           no      Sameer Parekh
 i386-sun-solaris2.7           no      Cliff Skolnick
 i386-unixware-svr4            no      Sameer Parekh
 i386-unknown-freebsd2.1       no      Andrew Wilson, Brian Tao
 i386-unknown-freebsd2.2.8     no      Jim Jagielski
 i686-pc-freebsd3.1            no      Ralf S. Engelschall
 i585-pc-redhat5.2             no      Ralf S. Engelschall
 i386-unknown-linux(ELF)       no      Aram Mirzadeh, Michael Douglass
 i386-unknown-netBSD           no      Lars Eilebrecht, Bill <>
 i386-unknown-sco3             no      Ben Laurie
 i386-unknown-sco5             no      Ben Laurie
 m68k-apple-aux3.1.1           no      Jim Jagielski
 m88k-dg-dgux5.4R2.01          no      Sameer parekh
 m88k-next-next                no      Rob Hartill
 mips-sgi-irix5.3              no      Mark Imbrianco
 mips-sgi-irix6.2              no      Ralf S. Engelschall, Lars Eilebrecht
 mips-sni-svr4                 no      Martin Kraemer
 rs6000-ibm-aix3.2.5           no      Sameer Parekh
 rs6000-ibm-aix4.2             no      Ralf S. Engelschall, Bill Stoddard
 rs6000-ibm-aix4.3.2           no      Bill Stoddard
 sparc-sun-solaris2.5          no      Lars Eilebrecht
 sparc-sun-solaris2.6          no      Lars Eilebrecht, Ralf S. Engelschall
 sparc-sun-solaris2.7          no      Cliff Skolnick
 sparc-sun-sunos4.1.4          no      Michael Douglass
 sparc-sun-sunos4.1.3_U1       no      Sameer Parekh
 sparc-unknown-linux           no      Lars Eilebrecht
 mips-dec-ultrix4.4            no      Sameer Parekh
 mips-unknown-linux            no      Lars Eilebrecht


    * mod_access/3821: check_dir_access(), reads a->order[31]
      => either an if-clause should be added or the M_INVALID changed

    * mod_so/3493: os/unix/os.c dlclose()s objects before module cleanups
      => this is a subtle thing related to pool cleanups, I think.


    * mod_rewrite/3874: RewriteLock doesn't work for virtual hosts 
      => When I find time, I can look at this. But I would appreciate
         when someone other already can dive into this. My opinion
         is already appended to the PR.

    * Randy's proposed changes for binbuild:
      1. Change to build binary only distribution
         Lars: -0

      2. Add 'make dist' target to call
         [Roy: That would require a Makefile, which is what binbuild creates.
               I don't see any point in that.]
         Lars: -1 (Roy explained why)

      3. Create toplevel 'setup' script for install to mirror win32 name
         [It is currently creating ""]

    * long pathnames with many components and no AllowOverride None
        Workaround is to define <Directory /> with AllowOverride None,
        which is something all sites should do in any case.
        Status: Marc was looking at it.

Documentation that needs writing:

Available Patches:

    * Keith Wannamaker's NT multiple services patch
        Message-ID: <>
        Status: Bill +1 (on concept)

    * Jun-ichiro itojun Hagino's [PATCH] IPv6 enable patch
        Message-ID: <>
        Status: Lars +1 (on concept)

    * Jim Patterson's patch to make mod_info work on Win32
        Message-ID: PR#1442
        Status: Lars +1 (on concept)

    * Peter Greis' new '%m' CustomLog option: the time taken to serve the
      request, in milli-seconds.
        Message-ID: PR#2838
        Status: Jim +0 (as is, the patch requires rework since it needs
          to be aware of NO_GETTIMEOFDAY and NO_TIMES as well as
          implement a times() alternative. Not only that, but with
          extended_status, we calculate this anyway).

    * Ronald Tschalär's ap_uuencode() bugfix
        Message-ID: PR#3411
        Status: Lars +1 (on concept), Dirkx +1

    * Juan Gallego's patch to add CSH-style modifiers (:h, :r, :t, :e)
      to mod_include's variable processing.
        Mesage-ID: PR#3246, also available at
        Status: Ken -0 for 1.3/+0 for 2.0, Lars -0 for 1.3
   * Eric Prud'hommeaux's mod_dir mods for file-level access control.
        Message-ID: <>
        Status: Jim -0 (The current behavior seems logical to me. If there
        was more universal interest in changing it, then that would be
        a different matter).

    * Eric Prud'hommeaux's mods for practical negotiation with
      file level access control.
        Message-ID: <>

    * Ronald Tschalär's major update of mod_digest
        Message-ID: <>
        Status: Big change -- needs review.

In progress:

    * Ralf's [PATCH] Shared Memory Pools
        Message-ID: <>
        Status: Ralf: The stuff in general _IS_ for 1.3.x but the posted
                      patch was just a first cut to get feedback. An updated
                      one is posted in a few days. And I'm actually still
                      waiting for a review from Dean for the shared memory
                      hard-core stuff. When someone else is also interested
                      please review the shared memory deep-level code.
                Doug: +1 on concept (untested)
                Lars: +1 on concept

    * Marc's [PATCH] PR#3323: recursive includes
        Message-ID: <>
        Status: Marc +1, Jim +1 (concept)
        * Needs more in-depth review *

    * Mark Bixby's freshening up the MPE/iX port (mostly APACI)
        Message-ID: <>
        Status: Mark says: "...currently waiting for HP to fix two OS bugs.
                A fix for siglongjmp() is available and has been tested
                successfully by me, but has yet to be included in a
                public patch.  The likely cause of the "EINTR from
                fopen()" bug has been identified, but analysis on how
                to fix it continues."

    * Doug MacEachern's libapr - Generic Apache Request Library (Alpha)
      This package contains modules for manipulating client request data
      via the Apache API with Perl and C.

Needs patch:

    * MaxRequestsPerChild doesn't count requests, only the
      number of connections processed.
      We can either 'fix' it by renaming the directive to
      MaxConnectionsPerChild or really fix it to actually count
      the number of requests.
      Lars: I think we should really fix.
      Jim: The main idea behind this is to avoid problems with
           memory leaks. So it really doesn't matter which we
           do, as long as there's a match between the directive
           and what it does. Since it's easier, I'd say just
           rename to MaxConnectionsPerChild but keep MaxRequestsPerChild
           as an "alias" to that (maybe print a short "MaxRequestsPerChild
           is depreciated" message when Apache starts).

    * get_path_info bug; ap_get_remote_host should be ap_vformatter instead.
      See: <>

    * uri issues
        - RFC2068 requires a server to recognize its own IP addr(s) in dot
        notation, we do this fine if the user follows the dns-caveats
        documentation... we should handle it in the case the user doesn't ever
        supply a dot-notation address.

    * Problems dealing with .-rooted domain names such as "twinlark." versus
        "".  See the thread containing
        Message-ID: <> for more details.
        In particular this affects the correctness of the proxy and the
        vhost mechanism.

    * proxy_*_canon routines use r->proxyreq incorrectly.  See

    * work around a Navigator/Mozilla bug when mod_proxy is used
      (broken images).
        Message-ID: <>
        Status: Lars' patch was vetoed.  Roy and Dean think that it is
                probably another buffer magic number error and should be
                tested to find out and, if so, fixed like it was in core.
                Dirkx: cannot reproduce this at all.

    * ap_escape_html() always duplicates the string, even when there is
      no change and the caller would be happy to use the original.
      What is needed is a separate interface for "don't need a dup"
      situations, like just about everywhere we use it in bvputs and
      bputs calls.
      dirkx: -1 (as some of the modules from seem
        (rightly?) to assume that they can modify the returned escaped
        string whilst relying on the passed string not to be damaged.

    * Should we disallow requests with bogus characters in the method?
      See <>

Open issues:

    * general/3787: SERVER_PORT is always 80 if client comes to any port
      => needs review by the protocol guys, I think.

    * Someone other than Dean has to do a security/correctness review on
      psprintf(), bprintf(), and ap_snprintf().  In particular these routines
      do lots of fun pointer manipulations and such and possibly have overflow
      errors.  The respective flush_funcs also need to be exercised.
       o Jim's looked over the ap_snprintf() stuff (the changes that Dean
         did to make thread-safe) and they look fine.
       o Laura La Gassa's looked over ap_vformatter & other related code
       o Martin did a "source review" as well.
       o Could still use 1 or 2 more sets of eyeballs.
       Status: Is this still valid??

    * Paul would like to see a 'gdbm' option because he uses
      it a lot.

    * Maybe a http_paths.h file? See
        +1: Brian, Paul, Ralf, Martin, Dirkx
        +0: Jim (not for 1.3.0)

    * Release builds: Should we provide Configuration or not?
      Should we 'make all suexec' in src/support?
        +1: Brian, Jim, Dirkx, Ken +1 (possible suexec path issue, though)

    * root's environment is inherited by the Apache server. Jim & Ken
      think we should recommend using 'env' to build the
      appropriate environment. Marc and Alexei don't see any
      big deal. Martin says that not every "env" has a -u flag. 

    * Marc's socket options like source routing (kill them?)
        Marc, Martin say Yes

    * Ken's PR#1053: an error when accessing a negotiated document
      explicitly names the variant selected.  Should it do so, or should
      the original URI be referenced?

    * Proposed API Changes:

        - r->content_language is for backwards compatibility... with modules
          that may not link any longer without some minor editing.  The new
          field is r->content_languages.  Heck it's not even mentioned in
          apache-devsite/mmn.txt when we got content_languages (note the s!).
          The proposal is to remove r->content_language:
            Status: Paul +1, Ralf +1, Ken +1, Martin +1, Dirkx +1 (I could
                not find ANY module which uses it and which (still) compiles
                after the config change.)

        - child_exit() is redundant, it can be implemented via cleanups.  It is
          not "symmetric" in the sense that there is no exit API method to go
          along with the init() API method.  There is no need for an exit
          method, there are already modules using cleanups to perform this (see
          mod_mmap_static, and mod_php3 for example).  The proposal is to
          remove the child_exit() method and document cleanups as the method of
          handling this need.
            Status: Rasmus +1, Paul +1, Jim +1, 
                    Martin +1, Ralf +1, Ken +1, 
                    Dirkx +1 (with doc change)

    * Should we re-enable nagle now that we're non-buffering CGIs?  See
      various messages from Marc in March 98.
    * TZ should not be dealt with specially any longer now that we have
      "PassEnv".  See
       Jim: IMO it's too late in the game for this... I'm
            sure this would cause some strange bug reports as
            people's cgi-scripts no longer work correctly
            ("It worked just fine before I upgraded to 1.3.0")
            unless we warn people in big nasty letters to add
            PassEnv TZ to their config files "just in case"
            and hope they do it :)
       Dirkx: Is not this the same issue about maintaining your 'env' ?

    * In ap_bclose() there's no test that (fb->fd != -1) -- so it's
      possible that it'll do something completely bogus when it's 
      used for read-only things. - Dean Gaudet

    * Roy's HTTP/1.1 Wishlist items:
        1) byte range error handling

    * use of spawnvp in uncompress_child in mod_mime_magic - doesn't
      use the new child_info structure, is this still safe?  Needs to be 
      looked at.

    * suexec doesn't understand argv parameters; e.g.

        <!--#exec cmd="./ls -l" -->

      fails even when "ls" is in the same directory because suexec is trying
      to stat a file called "ls -l".  A patch for this is available at

      and it's not bad except that it doesn't handle programs with spaces in
      the filename (think win32, or samba-mounted filesystems).  There are
      several PR's to this and I don't see for security reasons why we can't
      accomodate it, though it does add complexity to suexec.c.
      PR #1120
      Brian: +1

Win32 specific issues:


    * fix O(n^2) attack in mod_isapi.c ... i.e. recopy the code from

 In progress:

    * Ben's ASP work... All agree it sounds cool.

    * DDA's adding a tray application to the Windoze version for ease of
        Status: Ken +1, Sameer +1, Martin +1, Ben +1 (as long as
        we get a single executable)
        Paul: No like Win95 specific stuff
        Ken: What's W95-specific about it?


    * should trap ^C when running not-as-service and do proper shutdown

    * should have a pretty little icon for Apache on Win32

    * proxy module doesn't load on Win95.  Why?  Good question.  PR#1462.
    * Proxy cache garbage collection doesn't work. PR#1891

    * chdir() for CGI scripts and mod_include #exec needs to be 
      re-implemented now that CreateProcess is being used.

    * process/thread model
        - need dynamic thread creation/destruction, similar to 
          Unix process model
        - can't use WaitForMultipleObjects in the same way we
          do now, since that has a limit of 64(!) objects.  Grr.

    * some errors printed by CGIs to stderr don't end up making it
      to the server log unless an extra debugging message is added
      after they run? (PR#1725 indicates this may not be just Win32)

    * handle bugs that make it pop up errors on console, ie. segv 
      equiv?  Can we do this?  Need to make it robust.

    * install
        - make installshield work
        - config in cvs tree?
        - install docs, etc.?
        - location for install

    * the mutex should be critical-regions, since the current design
      is creating a mess of SO calls that are unnecessary

    * we don't mmap on NT.  Use TransmitFile?

    * CGIs
        - docs on how they work w/scripts
        - use registry to find interpreter?
        - WTF is the buffering coming from?
            - we don't have a way to make non-blocking files on NT!

    * performance

    * documentation:
        - running the server without admin
        - how CGIs work
        - update README.NT
        - short/long name handling
        - better status page on current state of NT for users

    * http_main.c hell
        - split into two files?

    * who should run the service?  Who exactly is the "system account"?

      docs say:

      Localsystem is a very privileged account locally, so you shouldn't run
      any shareware applications there. However, it has no network privileges
      and cannot leave the machine via any NT-secured mechanism, including
      file system, named pipes, DCOM, or secure RPC.


      A service that runs in the context of the LocalSystem account
      inherits the security context of the SCM. It is not associated with
      any logged-on user account and does not have credentials (domain
      name, user name, and password) to be used for verification. This
      has several implications: [... removed ...]

      That _really_ sucks.  Can we recommend running Apache as some 
      other user?

    * modules that need to be made to work on win32
        - mod_example isn't multithreadreded
        - mod_unique_id (needs mt changes)
        - mod_auth_db.c  (do we want to even try this?  We should have some
          db of some sort... what else can we pick from under win32?)
        - mod_auth_dbm.c
        - mod_info.c (PR#1442 re exporting symbols for it...)
        - mod_log_agent.c
        - mod_log_referer.c
        - mod_mime_magic.c (needs access to mod_mime API stage...)

    * do something to disable bogus warnings

    * rfc1413.c has static storage which won't work multithreaded

    * mod_include --> exec cgi, exec cmd, etc. don't work right.
      Looks like a code path that isn't run anywhere else that has
      something not quite right...  A PR or two on it.

    * signal type handling
        - how to rotate logs from command line?
          (Point people to Andrew Ford's cronolog because it's "better"
           than ours?)

    * Currently if you double click on the conf files or the
      log files you get a useless dialog offering the set of all
      executables, usually after a very long pause.  Ought
      to stuff .conf in the registry mapping it to text.

    * apparently either "BrowserMatch" or the "nokeepalive" variable
      cause instability - see PR#1729.

   The goal here is to have two columns of all-Y (where applicable)
   for the two stable release versions, and nothing under Old unless
   the new version just doesn't work on that platform.

                        1.2.6   1.3.4   Old
   aix_4.1                N       N     1.2.5, 1.3.1
   alphalinux             N       N     1.3.0
   aux_3.1                N       Y
   decalphaNT             N       N     1.3b6
   dunix_4.0              N       N     1.2.4, 1.3.0, 1.3.1
   freebsd_2.1            N       N     1.2.4
   freebsd_2.2            N       Y
   hpux_10.20             N       N     1.2.5
   hpux_11                N       N     1.3.2
   irix_6.2               N       N     1.2.5
   linux_2.x              N       N     1.2.4, 1.3.0
   netbsd_1.2             N       N     1.2.4
   os2                    N       Y
   reliantunix_5.4        Y       Y
   solaris                N       N     1.2.5, 1.3.0, 1.3.1
   sparclinux             N       N     1.3.0, 1.3.1
   sunos_4.1.x            N       N     1.2.5
   ultrix_4.4             N       N     1.2.4
   win32                  -       N     1.3.2  (is symlink okay?)

View raw message