Re: Re: [PHP] Which versions of Apache will PHP 5.3.6 work with??

Re: Re: [PHP] Which versions of Apache will PHP 5.3.6 work with??

am 07.04.2011 21:18:50 von Logan L

--20cf30434794bbae1c04a058fa11
Content-Type: text/plain; charset=ISO-8859-1

Hey Pierre, let me massage your ego a bit before I explain why I think the
security guys have a problem with this. First off, I appreciate the work you
do for the PHP community! I do recognize you as a leading member of the
community. Your opinion clearly has a lot of weight when it comes to PHP on
windows. I would LOVE to have you speak at our local PHP meetup!

So please do not view what I said previously about the Apachelounge binaries
as a slight against you or your opinions on the matter. The same goes for
William Rowe and his work for Apache. I know you have stated publicly of
your support for the apachelounge binaries. Also I am sure all the
apachelounge guys do great work and their contributions are appreciated.

As much creditability as the two of you have, the fact of the matter is that
the two of you aren't an accredited organization. Like I said before, the
binaries can't come from some dude's website for web server enthusiasts.

Here are some security issues relating to the issue at hand.

1. How can we be sure that apachelounge site and server is completely
hardened against attacks.
2. If their server is hacked, how much longer would we go without knowing
than if it was apache.org? Also would we even ever find out about such an
incident, because if a breach happened with apache.org it would be all
over the news.
3. Are all the people's identities that contribute on the site publicly
available. Some of the people may be trustworthy, but how can we say that
about all the members of apachelounge.
4. If they are doing this as their hobby, what assurances do we have
about the speed at which any security issues are resolved.

Now I haven't talked with the security guys about exactly what their
concerns are, so that list is just me thinking off the top of my head about
what I imagine their concerns to be. I trust them to do their job, so when
they say using apachelounge is out of the question, then I must explore
what our options are.

I'm not sure what you meant about Apache not having any official builds. I
know their VC6 builds can be found here.
http://httpd.apache.org/download.cgi
Maybe you meant VC9 builds. Believe you me, I am painfully aware of that. :)

Thanks for the info on Zend. Don't worry I won't troll the list with Zend
questions.

Regards,
-L


On Wed, Apr 6, 2011 at 4:48 PM, Pierre Joye wrote:

> On Wed, Apr 6, 2011 at 6:54 PM, Logan L wrote:
> > It might be ok with the security guys if the builds were released as
> > official builds from the ASF courtesy of the apachelounge.
> >
> > I agree for personal development use, apachelounge might be ok. I have
> used
> > them for local development in the past and was happy with them.
>
> I strongly disagree. I will repeat it again: They are production ready
> and we do support them. The src are the apache's ones and any bugs are
> fixed there, not in some random repository. Apache does support vc9
> from a build point of view, vc10 too. They simply don't give a damned
> about windows builds.
>
> > I think many companies will need some sort of industry support (an
> > accredited organization like the ASF) behind the binaries. They can't
> come
> > from some dude's website for web server enthusiasts. That level of risk
> is
> > not acceptable.
>
> Again, Apache does not provide any official builds, they don't plan
> (as of today stand) to do so nor to move to anything else that what
> they have now.
>
> If security is the matter, then I wonder (reallly hardly wonder) why
> in the world do you rely on VC6 builds until now. That's a mistery to
> me.
>
> > I talked to Zend and their PHP 5.3 versions of Zend Server include a VC9
> > compiled Apache, so that may be the direction we go. We are exploring our
> > other options as well. Thanks for all the good info!
>
> They use VC8 for their builds. not vc9. Anyway, if you use Zend
> Server, please ask them for support, we don't support their builds.
>
>
> Cheers,
> --
> Pierre
>
> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
>

--20cf30434794bbae1c04a058fa11--