I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.
Compare this to Microsoft's one patch day a month policy which is rarely if ever varied.
meh, it's open source, why should you wait for apache to fix it for you? You can fix it yourself.
I set up apache on my grandmother's linux computer so she can share photos over webdav (she likes to gimp her pictures). I stopped by a couple days ago to update apache but to my surprise, she had already heard about the bug, downloaded the source code, got a master's degree in computer science, and fixed it herself.
The percentage of programmers capable of fixing the problems like this themselves is minuscule. Same thing applies to any major open source applications such as browsers. Identifying the flaw, fixing the flaw, and performing regression testing to make sure you have not introduced new problems requires an expert skill set that is quite different than the skill set needed to develop web and console user applications.The easy fixes have been done but the remaining bugs are causing the people who work on these
Ah! You must be Mr. Super Programmer! The "ability to fix it yourself" has always been one of the least important reasons to support the open source licensing model. The most important benefits have been reducing your problems if your closed source vendor goes out of business leaving you with an unsupported and stagnant application. Open source has also provided a large code base that developers are free to access and use in their own projects. There are a lot more developers who take advantage of this reso
I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.
I think their response has been more than reasonable, given the actual flaw is a somewhat vaguely worded paragraph in the HTTP RFC regarding multiple requested ranges and how they should be treated. Sometimes the real bug is inherent to the protocol, and all vendors need to work together to seek a sensible remedy.
More people are running 1.3 than 2.0 now. Going from 1.3 to 2.2 with a custom module sometimes means a rewrite but going from 2.0 to 2.2 tends to be updating a few elements in some structures.
Quick fixes (Score:3, Insightful)
Compare this to Microsoft's one patch day a month policy which is rarely if ever varied.
Re: (Score:1, Flamebait)
Re: (Score:2, Funny)
meh, it's open source, why should you wait for apache to fix it for you? You can fix it yourself.
I set up apache on my grandmother's linux computer so she can share photos over webdav (she likes to gimp her pictures). I stopped by a couple days ago to update apache but to my surprise, she had already heard about the bug, downloaded the source code, got a master's degree in computer science, and fixed it herself.
Re: (Score:2)
Re: (Score:2)
WHOOOOOOOSH!
Re: (Score:2)
Re: (Score:1)
I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.
I think their response has been more than reasonable, given the actual flaw is a somewhat vaguely worded paragraph in the HTTP RFC regarding multiple requested ranges and how they should be treated. Sometimes the real bug is inherent to the protocol, and all vendors need to work together to seek a sensible remedy.
Re: (Score:2)
So what you're saying is "Le mieux est l'ennemi du bien"?
2.0.65? (Score:2)
Nice.
I hope the one for 2.0.64 comes out soon... but at the same time I'm glad the 2.2 guys are the guinea pigs seeing regressions and not us :).
Re: (Score:2)
More people are running 1.3 than 2.0 now. Going from 1.3 to 2.2 with a custom module sometimes means a rewrite but going from 2.0 to 2.2 tends to be updating a few elements in some structures.
Re: (Score:2)