httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: vote on concept of ServerTokens Off
Date Tue, 08 Sep 2009 23:25:54 GMT
William A. Rowe, Jr. wrote:
> Guenter Knauf wrote:
>> Hi,
>> William A. Rowe, Jr. schrieb:
>>> Jim Jagielski wrote:
>>>> Lars Eilebrecht wrote:
>>>>> According to Jeff:
>>>>>> A lot of opinions were offered back in August.  Some were negative
>>>>>> I don't see anything that looks like a veto.
>>>>> I voted -1 at that time which is a veto.
>>>>> My opinion hasn't changed and I still think that it is a very
>>>>> stupid idea to add a "feature" that allows our users to do
>>>>> something which is stupid and absurd.
>>>>> *shrug* but as everyone seems to think that this is a good idea,
>>>>> feel free to ignore my veto.
>>>> A Veto is a Veto. If you feel strongly enough about it, then
>>>> it cannot be, and should not be, ignored.

Except that in this case, between Lars offer to "ignore" his vote/veto, and
the fact that he hasn't responded in 21 months (I also emailed him directly
last week to ensure he made note of this thread), he apparently does not
feel strongly enough to either confirm his veto, or confirm his willingness
to be talked out of this veto.  Jeff asked for explicit confirmation or
retraction of this veto on Dec 6th 2006, and Lars had not responded, so it
appears we can move ahead as this statement above appeared to be half-way
retracted veto, and he's unwilling to comment further to either agree with
Jim, or explicitly vote -0/distasteful.

>> If we would vote now, I would vote against. It makes no sense at all,
>> and folks who believe that hiding ServerTokens would make their server
>> more secure or relax the requirement to update for security bugfixes are
>> complete idiots who have never looked into their server logs.
> That was not the only point raised in the Server: toggle off debate.  The
> major reason was to trash all the bug reports and user queries about this
> issue, which show up daily at #httpd and several times a month on users@.
> It's a distraction that helpful peers should not need to keep answering.
> And the other minor point was applications where the user wanted to save
> the bandwidth handful of bytes per response.  Not compelling justification,
> but not a nonsensical request (unlike "how do I protect my server by...")

Guenter, please confirm if you are casting a veto, or in light of this
earlier discussion and rationale, you are just expressing your standing
distaste for the patch (which is -0)?

>> Also, I think we have some new folks here who also might want to vote,
>> and we should probably vote again?
> And if they want to, they will.  There is a thread, though it's two years
> old.  No need to start a new vote/thread.  There were an overwhelming
> number of votes in favor, so other than outstanding vetoes, there is no
> reason not to finish ServerTokens Off if someone like Jim or Jeff just
> comes along and commits it [if and once Lars lifted his veto].

And I've seen no other votes.  'Set' is clearly vetoed (it makes no sense
to falsely advertise Apache as anything other than Apache, and legitimate
purposes can be served with an 'Add' feature), while it looks like 'Off'
survives, depending now upon Guenter's vote.

The +1 votes are trawick, jorton, slive, jim, rpluem, stoddard, fielding;
we have -0 from wrowe, niq, and jerenkrantz, a half-way retracted veto from
Lars, and Guenter's threat of veto.  If Guenter and/or Lars would clarify,
we  could put this discussion thread to bed, and call the patch signed
sealed and delivered or revert it [although the argument has been made that
there are not technical grounds for such a veto to stand on].

In the interim, Jim, could you kindly replace the 'Set' functionality with
'Add' to work around the less flexible veto from last week, or simply
revert it already?


View raw message