Apache HTTPd Server Developers Considered Harmful
It was my vision back then to transform the library into a generic, non-Perl related C library that would support language bindings from other programming languages, which is why I pushed for the project to be homes under the HTTPd umbrella instead of the Apache-Perl project.
While this vision was wildly successful, with language bindings available for several languages like Perl, TCL, R, etc, ever since about 2010 its proven tragic for the existing user community consisting of all of them, not just Perl.
What happened? Philip Gollucci, a Perl/FreeBSD olleague of mine at the time, started agitating that we promote the project to be released from inside the HTTPd server itself. What Philip didn’t know very well back then was how utterly vapid and territorial that team had become, which would have meant having to collaborate with them directly on user-facing decisions about the code base.
In 2012, Philip got what he wanted and I stopped resisting, so he forked the existing project and copied the C library components into HTTPd core.
In 2016 I resigned from the Foundation en masse. You can guess the reasons.
In 2020 or so, Google’s Security Team took advantage of an alpha release of httpd 2.5 by fuzzing its 8 year old copy of apreq. It found a few hotspots that needed repair.
Instead of having the courtesy of reaching out to me, or anyone else involved in development of apreq, a junior engineer on the HTTPd team went about the business of “bug fixing” the vulnerabilities Google found. You can see a record of his trial and error work in every release since then.
But the coup de grace was the 2022 release of 2.17, wherein the rookie developer purposely introduced a fatal bug into the codebase, breaking a fifteen year old regression test.
If you are wondering how something with a broken regression test winds up on CPAN, you’ll have to look into how RELENG is done in the server project.
Long story short, they commented out the test and shipped it anyway, and called it a Security Release that fixed a vulnerability every prior release was susceptible to.
Why do I care now? Because I’m the sucker users reach out to for answers as a known subject matter expert.
This sucks, but I’m sorry to tell you that my days wearing the Superman cape at Apache ended 8 years ago.
23 comments
[ 2.3 ms ] story [ 67.2 ms ] thread"En masse":
All together and at the same time, in large numbers
https://dictionary.cambridge.org/dictionary/english/en-masse
Seeing these kinds of stories and interacting with the type of people who have them brings to mind an old saying:
“If everyone you meet is an asshole, you’re the asshole”
Note that I’m not saying that’s the case here or insulting you, that’s just the saying.
This story is filled with what seems like (at best) “personality conflicts” and your very dim view of essentially everyone involved in it with the exception of yourself.
It even ends with you essentially calling yourself Superman.
I’m not sure what the point of this is (vent? warning?) but it doesn’t read like a sympathetic and even remotely balanced telling of events, that’s for sure.
It may be worth reflecting on what you may have contributed to this if your goal is reducing the chance of repeats.
I'm not sure if that's the case, but that what's coming across. Small-minded pettiness.
It really doesn't. Awful behavior regardless.
As I tell everyone else- don’t trust their releases.
Nothing else is.
But at the same time, F/OSS has transformed into a loss leader for FAANGM monopolies, which coincides neatly with the timeline presented.
Here's the bugtraq event about it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018191
Does any of this make sense to you? Nobody who looks in the changes file has any idea the last three releases involved CVE issues. Not only are they purposefully obscured, the release itself contains undocumented bogus parser changes that were papered over during candidate voting.
1/ report the Google Fuzz Report to the actual development team, to coordinate and collaborate on a solution.
2/ not take three whacks at a security release just to fix the same vulnerability
3/ not attempt to ship whimsical patches in a security release
4/ not patch the test suite to lie to voters about the viability of a release candidate.
5/ ship a hotfix immediately after users report the bugs on 2.17
25 years is a long time for an imaginary title on a vanity project. I guess it helps to work 12.5 years on, 12.5 years off (no commits, no releases).
> In 2016 I resigned from the Foundation en masse. You can guess the reasons.
NPD?
https://projects.apache.org/committee.html?httpd#:~:text=Joe...
There are literally thousands of others who do not advertise the version number out of security concerns.
https://webtechsurvey.com/technology/mod_apreq2
And despite the decade-long warfare against its userbase by the community of glorified morticians at Apache HTTPd Server Project, it still has a growing customer-base!
https://blogs.sunstarsys.com/joe/apache-considered-harmful
for the permalink.