httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: pgp trust for https?
Date Wed, 09 Nov 2005 22:10:30 GMT
Peter J. Cranstone wrote:
> But seriously though, Apache now has 70% of the Internet web servers running
> it's software. The single most important thing on IT minds is web services
> followed by "security".

Yup.  Apache takes a wee bit of pride that it comes up so infrequently on
bugtraq, and hides in shame when it does, meekly offering up a patch (usually
quickly, sometimes drawn out when the underlying mechanics are in the way.)

Most importantly - users can find out exactly what the buggy code was, and
if the fix actually solves it (or bring up another report if we haven't.)
This, as opposed to the process of exploit development, proof of concept,
and then lack of verification of fixes to 'the other webserver'.  So you
are probably right...

> Apache needs to think about what it's going to do to make the server more
> secure. If you don't someone is going to come in and steal the limelight. I
> doubt it will be Microsoft but who knows maybe Google does it.

But Longhorn and managed code is the final solution, no?  <LOL>

Most likely, the viable solution comes out of an unexpected corner of the
IT space.  At least, that's where most

> Security is a big deal - and it's not off-topic for any forum these days
> unless of course you're tired of being the lead dog on the Internet.

The httpd's security isn't off topic, I'll agree.  Debating or promoting
different ring and kernel architectures is off topic, though, when you
aren't applying them to an operating system that httpd can run on.  (Of
course anyone is welcome to take the httpd code off to their own project
to develop embedded httpd in a truly security environment.)

Apache projects are designed around standards, and unencumbered ones at
that.  We leverage platforms, so sure, once there is a solid OS to support,
then it's something that is worth discussing IN THE CONTEXT of httpd.  But
without an actual operating system that's worth its weight in security,
that httpd can target, the thread's Potlemaic are cute but irrelevant.

So rather than spin off-topic threads, where's the discussion of taking
something that exists, such as se-linux, and actually leveraging security
features of more evolved security architectures?  That's when things come
back on-topic here.


View raw message