Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Apache Software Operating Systems BSD

For OpenBSD, "No More Apache Updates" 128

joshmccormack writes "On June 6th Henning Brauer, an OpenBSD developer announced on one of the OpenBSD mailing lists that the version of Apache shipped with OpenBSD will stay with 1.3.29, due to Apache's license changes. There will be bug fixes, but no more updates. Discussion on blogs, websites and mailing lists on what's next bring up some interesting ideas and strong opinions. Difference of opinion and control have been catalysts to the growth of OpenBSD in the past. Will this be like the birth of pf in OpenBSD, or even the start of OpenBSD itself?"
This discussion has been archived. No new comments can be posted.

For OpenBSD, "No More Apache Updates"

Comments Filter:
  • Story: check.. (Score:4, Informative)

    by denisb ( 411264 ) <[denis] [at] [denis.no]> on Monday June 07, 2004 @12:04PM (#9357569) Homepage
    Direct links: fail.
    More info to read up on: fail.
    Reference to the relevant list / list archive: fail.

    Perhaps this story could be fleshed out a little ?
    I'll google it or use some other news source to find more about this, but...

    • Re:Story: check.. (Score:5, Informative)

      by albalbo ( 33890 ) on Monday June 07, 2004 @12:10PM (#9357625) Homepage

      A link for you [neohapsis.com].

      But you're right, it's a very content-free post.

    • Re:Story: check.. (Score:5, Informative)

      by nocomment ( 239368 ) on Monday June 07, 2004 @12:14PM (#9357665) Homepage Journal
      no kidding!

      Since I'm subscribed to the mailing list I've gotten to read all about it for the last couple days. Here's a link to the mailing list archive....here [theaimsgroup.com]

      A page to actually read more on this is here [undeadly.org].
      • Reading the comments at undeadly.org, it seems the big beef is with a clause that covers patent issues of any code as well as copyright issues.

        Basically, the clause says that if you have any patent claims to the code that you contribute (or is it just use? I'm not sure.) then you irrevocably grant license to others for those patents and if you sue , then you can't use Apache.

        I'm unsure as to how this is a bad thing. Most "free" software licences were written before software patents were a big issue, and therefore only deal with software as a copyrightable, and not a patentable entity. Just as software code must be updated to deal with new operating enviroments, so legal licensing code must be updated to deal with a changing legal enviroment.

        The new clause forces patent holders to play nice as well as copyright holders.

        Would it be better to encourage lawsuits over patent issues?
        • I think this is where the problems come in. From what I can tell (be warned: legal-speak confuses me immensely) it seems to be a necessary change because of the recent furore about software patents. It seems to be merely a restriction to prevent patent-holders from contributing their ideas to the codebase and then down the line trying to charge for use.

          The problem then appears to stem from the fact that said restriction is a restriction - and is incompatible with the majority of current free/open licenses.
          Or something, anyway. but basically it looks like changes which are a good idea in theory are incompatible with the letter of a lot of F/OSS licenses. And, like it or not, this means that it can cause problems unless/until the GPL/BSD/WTF licenses catch up with the changes.

          I'm not so sure it's that the changes are nevessarily a "bad thing", more that the various F/OSS groups are showing that they take licensing seriously. And with the current anti-free FUD going around, showing that they will take serious steps to avoid breaking licenses can only be a positive step.
          Sadly, the drawback is that to Play By The Rules sometimes they have to make unpopular decisions. But the flipside is that, if necessary, they can still fork from earlier versions.

          Tiggs
        • I haven't read it myself but does this force you to open your patents up to everyone for any use or simply for apache-derived open-source projects?

          Essentially it boils down to the difference between making your ideas public domain and GPLing them.

          I can see the logic behind either approach, but the public domain-ish one seems to be more natural; to do otherwise would be like saying "I'm going to publish this information out in the open, call it Free but reserve the right to sue your ass back to the stonea
          • So is the only "non-free" aspect of this that it restricts the freedom of contributors to sue over patent ownership of code that they themselves contributed?

            There seems to be a paradox, because if patent holders can sue over contributed code, then the software is non-free for the user.
            So with the clause, the contributor loses the freedom for preying on users legally, while without the clause, users retain the freedom to subject themselves to endless legal hassles.
            This is a perversion of freedom absurd. Th
        • it is bad because it places restrictions on the software past what are imposed by the bsd license. openbsd now uses the 2-clause license, and this new license apache uses (it's the same core issue (not free enough licenses) with cisco/vrrp and xfree86) a more restrictive license

          theo has made it clear, a number of times, that nothing new will get into the tree with unfree licenses. he (and the rest of openbsd) want it this way.

          really, it boils down to simplicity of the license. read the 30 or so lines
    • Re:Story: check.. (Score:5, Informative)

      by molnarcs ( 675885 ) <(csabamolnar) (at) (gmail.com)> on Monday June 07, 2004 @12:15PM (#9357679) Homepage Journal
      You are right, a link or two might have helped. After googling a little, I found this announcment [undeadly.org] on undeadly.org
  • So what? (Score:5, Informative)

    by Rick the Red ( 307103 ) <Rick@The@Red.gmail@com> on Monday June 07, 2004 @12:05PM (#9357572) Journal
    It's not like we can't get Apache somewhere else. This is Yet Another Licensing Dispute, and the solution is -- as always -- to just download whatever you want to run on your own if it doesn't come bundled with the OS.

    The only way this is even close to what happend with ipf/pf would be if the OpenBSD folks decided to write their own web server and release it under the BSD license, which isn't going to happen because they're OS folks, not web server folks.

    • Re:So what? (Score:3, Informative)

      by the morgawr ( 670303 )
      While I agree with you, it is entirely possible that someone could take the OpenBSD version of Apache (which has a ton of security patches that never got added back to the main tree) and use it to make OpenHTTPD. If enough people and vendors were concerned about the license change, it could even become the new standard.
      • Re:So what? (Score:4, Funny)

        by Pieroxy ( 222434 ) on Monday June 07, 2004 @12:30PM (#9357805) Homepage
        I think it is now time to fork once again OpenBSD. I'd suggest the new name to be OpenApacheBSD.

        Cheers.
      • Re:So what? (Score:5, Informative)

        by molnarcs ( 675885 ) <(csabamolnar) (at) (gmail.com)> on Monday June 07, 2004 @01:08PM (#9358175) Homepage Journal
        It seems they might consider thttd (well, I'm at the part of the messages when someone brings it up [theaimsgroup.com]). At first glance it looks pretty nice (the OpenBSD folks only need to add ssl support for it). From their webpage [acme.com]:
        thttpd is a simple, small, portable, fast, and secure HTTP server.

        Simple:
        It handles only the minimum necessary to implement HTTP/1.1. Well, maybe a little more than the minimum.

        Small:
        See the comparison chart. It also has a very small run-time size, since it does not fork and is very careful about memory allocation.

        Portable:
        It compiles cleanly on most any Unix-like OS, specifically including FreeBSD, SunOS 4, Solaris 2, BSD/OS, Linux, OSF.

        Fast:
        In typical use it's about as fast as the best full-featured servers (Apache, NCSA, Netscape). Under extreme load it's much faster.

        Secure:
        It goes to great lengths to protect the web server machine against attacks and breakins from other sites.

        It also has one extremely useful feature (URL-traffic-based throttling) that no other server currently has. Plus, it supports IPv6 out of the box, no patching required.
        After reading its man page it seems to me they have similar philosophy to pure-ftpd: simplicity and security. (thttpd, just like pure-ftpd, doesn't need a config file, but if you decide to write one, it has a very easy syntax ... not that apache was terribly complex).
        • Re:So what? (Score:3, Interesting)

          by the morgawr ( 670303 )
          how well does it handle dynamic content (like using php and perl)? Obviously it can't use mod*; so is it restriced to CGI? Wouldn't CGI be a step back as far as speed and security go?
          • Re:So what? (Score:4, Informative)

            by joshmccormack ( 75838 ) on Tuesday June 08, 2004 @08:17AM (#9364928) Homepage Journal
            Here [acme.com]'s where you can find info on thttpd running CGIs.

            It appears, from their benchmarks [acme.com], that performance running test C CGI's is very good for thttpd.

            Seems like it might be best for simpler scripts, tough, as it appears [linux.ie] that CGI execution is serialized, so "...one long running
            script will block all other requests." Here's another explanation. [fukt.bth.se]
          • thttpd does do CGI's (Perl of course is included there). There was a way to make PHP work with it. Last time I read the documentation, it was anything but optimal.

            We use thttpd on quite a few of our static servers, and I have to say it's absolutely fabulous. Instead of thousands of tasks that Apache 1.3.x would run, it has just one. Well, we start up a few sessions, and found a dual 1.4Ghz machine with 1Gb RAM has absolutely no trouble sending out 150Mb/s through teql bound NIC's. That's 150Mb/s
        • Re:So what? (Score:5, Insightful)

          by geirt ( 55254 ) on Monday June 07, 2004 @04:13PM (#9360025)
          Secure:
          It goes to great lengths to protect the web server machine against attacks and breakins from other sites.

          Well, you shold try to google for thttpd security [google.com]. It has a security record which makes Windows 95 look pretty good.

          • I agree it's been awful in that respect :-(
          • Re:So what? (Score:1, Insightful)

            by Anonymous Coward
            Google for:
            thttpd security: 26000 results
            apache security: 2860000 results

            I'm not entirely sure that google results are conclusive.
            • Re:So what? (Score:3, Interesting)

              by geoffspear ( 692508 ) *
              Well, actually reading the resulting pages instead of just looking at the numbers would help a bit.

              I, for one, am shocked that there are 26,000 total pages that mention thttpd at all, let alone with "security" thrown in.

        • Is it just me, or does that name sound like something Bill the Cat would say?
          • Re:So what? (Score:2, Funny)

            by Chmarr ( 18662 )
            Ah, you're confusing THTTPD (threaded hyper text transport protocol daemon) with THPTT (threaded high pustulence tongue transport) :)
        • Re:So what? (Score:2, Interesting)

          Hmmm. Non-forking model.

          For specific solutions requiring fast startup and minimal size for serving static pages, I bet thttpd is perfectly reasonable.

          I'm not sure a non-forking, 100% in memory, server can replace a full commercial installation of Apache (when tuned properly, that is).

          Not having looked at thttpd in any real way, this is my first concern.

          I also depend on a fair amount of module support in Apache (so obviously, I'm not _that_ concerned with performance!) so switching to some new model mig

        • thttpd was discussed, but they said pretty emphatically that they're happy with Apache 1.3.29 + patches.
      • by Nonesuch ( 90847 ) on Monday June 07, 2004 @05:40PM (#9360805) Homepage Journal
        The "APACHE" server project was originally a set of patches to the NCSA HTTPd, the name comes from "a-patchy web server".

        Back around 1995, development of the NCSA sort-of-free web server was starting to die out, and developers who had been producing a set of patches to the NCSA project decided to "fork" their development branch.

        After the fork, the majority of development effort concentrated in the new "Apache" project, and the NCSA HTTPd died out about a year later.

    • no, downloading apache elsewhere and running it is not recommended. the asf/apache still has got security bugs that are patched by openbsd/apache, but they (asf) refuse to accept the patches. that's why the openbsd description is (1.3.29 ... + patches)
  • Other OS vendors (Score:3, Interesting)

    by DieNadel ( 550271 ) on Monday June 07, 2004 @01:09PM (#9358180)
    What are other OS vendors doing? It's clear that the new license isn't GNU compatible [gnu.org], and I think that Debian is also going into a direction similar to OpenBSD on this matter.
    Anyone care to elaborate on this?
    • Re:Other OS vendors (Score:5, Interesting)

      by Brandybuck ( 704397 ) on Monday June 07, 2004 @01:49PM (#9358585) Homepage Journal
      The old Apache license wasn't GPL compatible either. In neither case should it affect Debian unless they choose to make a political stink out of it.
    • Re:Other OS vendors (Score:5, Informative)

      by forlornhope ( 688722 ) on Monday June 07, 2004 @05:22PM (#9360652) Homepage
      Debian doesnt distribute stuff based on if it is GPL compatible. It bases it on if the software is DFSG-free. After that is the question of linking and Debian always tries to follow the license of the software. That is where the stuff about the binary only firmware in the kernel came from along with the XFree86 stuf. The linux kernel is not distributable with the firmware and all the GPLed software that depends on xlib cant link against it under the latest XFree86 license.
    • It is incompatible with the GNU GPL, There are various licenses published by GNU; GPL,LGPL, GFDL. GNU is a project whose goal is to create a free unix like OS.
  • RTFA... (Score:5, Funny)

    by enyalios ( 686291 ) on Monday June 07, 2004 @01:14PM (#9358239) Homepage
    Oh... hmm... it appears there isn't an FA to R.
  • Not a real problem (Score:5, Interesting)

    by jpkunst ( 612360 ) on Monday June 07, 2004 @02:59PM (#9359289)

    I don't think this will be a real problem. If Apache is no longer allowed in the OpenBSD base system it can simply be moved to ports/packages, and it will be just a pkg_add away - just as is now the case with Apache 2.0.

    JP

    • by peacefinder ( 469349 ) * <alan.dewitt@gmaiOPENBSDl.com minus bsd> on Monday June 07, 2004 @06:51PM (#9361295) Journal
      It appears that the existing 1.3.29 (+ patches) apache will remain in the base OpenBSD install indefinitely. The OpenBSD folks have audited it for security, and it does what a basic web server needs to do. Anything beyond that is not really the OS vendor's problem anyway.

      As always, if the end users need more features, they can install a newer version. But note the warning on the openbsd-misc list: [theaimsgroup.com]
      Subject: Re: no more apache updates
      From: Henning Brauer

      let me add one more thing.

      it is of course possible to install an apache 1.3.31 or future ones
      from source on OpenBSD.

      however, doing so is one of the dumbest things you can do.

      there is a number of serious security problems in apache that we have
      fixed, and that have been offered them back, and they refused.

      selfmade apache upgrade = security downgrade, ok?
      • by jpkunst ( 612360 )

        But since everything is open source, it should be possible to apply any OpenBSD security patches to 1.3.31 or later, and offer that one (in ports/packages) as 1.3.31 (+ patches), right?

        JP

        • by c13v3rm0nk3y ( 189767 ) on Wednesday June 09, 2004 @10:07AM (#9377232) Homepage

          In theory, this should be doable. In practice, it will be a mess of backporting and three-way merging.

          Not to mention something you will have to do every time the Apache people release new versions with their own patches. You can only maintain your own abandoned tree for so long.

          I guess you could build off of your own copy of their CVS tree, and just rebuild based on their tags. This defeats the purpose (to me) of a nice easy ./configure ...; make; make install.

  • by gtrubetskoy ( 734033 ) on Monday June 07, 2004 @04:03PM (#9359941)
    You know whom to complain to.

    I hope he means the US and EU governments here. Had there been no software pattents under incredibly lax oversight with the subsequent abuse thereof, the Apache Software Foundaton wouldn't be forced to write this clause into the license.

  • The Apache 1.3 series really doesn't seem to get much development besides the usual bugfixes and security patches. The only reason people use it is because of either refusal to change to Apache 2 (if it ain't broke don't fix it) or because there's still some required module that only runs on Apache 1.3. On the other hand, I really never got why theres a webserver in the base OS in OpenBSD. As some other posters mentioned, the ports is where a webserver belongs IMHO.
    • With the way it is, you pretty much have to put

      httpd=""

      in /etc/rc.conf.local and you've got a webserver. With something as complicated as Apache, it would be hard to make it as easy as that if it were a port. Also, I think it would be considered rude for a port to go around setting up stuff in /var.

      They seem to like to be able to do just about all of the basics out of the box.

    • I've always thought it was a good thing. Remember, the OpenBSD project doesn't worry about the security of the code in the ports tree like they do the base system.

      Not every box needs Apache (nor BIND, which is also part of OpenBSD's base system), but lots of them do, and I'm glad that the project has made them first class citizens.

      Yes, you can take this too far ("Lots of people need MySQL!"), but if the OpenBSD project has the manpower to audit a certain amount of code we should let them do it, and Apache

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...