Apache Week
   Issue 249, 1st June 2001:  

Copyright ©2020 Red Hat, Inc

In this issue

Under Development

Development slowed this week due to the server compromise, as Apache group members were kept busy checking the server and CVS repositories for damage.

A problem emerged with error responses in 2.0, which were lacking any headers. A couple of patches were proposed although the fix committed was reported to break the new filters-based mod_headers.

Bill Stoddard added a new feature to mod_headers in 2.0, the 'header echo' directive, which specifies that headers from the request (which match a regular expression) are returned verbatim in the response.

Justin Erenkrantz, a new member of the APR development team, has been busy moving utility functions out of Apache and into the APR utility library so that they can be used in other projects.

apache.org compromised

The apache.org site was attacked by crackers earlier this month. A public statement from the Apache Software Foundation is available. The site was compromised when an Apache developer logged into apache.org from a machine a cracker had already gained access to. The compromise was quickly spotted and verification of the various Apache project source and binaries have shown no evidence of being tampered with. The Apache developers started signing distributions of the web server back in June 1997.

The compromise has been reported in various media over the last couple of days. In particular, The Register story "Cowboy cracker nails Apache" gives a good account (and an unforgetable mental image of the cracker's logo)

How to check apache.org distributions

Using PGP it is easy to check the validity of a distribution you are downloading. You first need to make sure that you have the public keys for the various Apache developers installed. To do this download the KEYS file from http://www.apache.org/dist/KEYS and import them:

$ pgp < KEYS
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Export of this software may be restricted by the U.S. government.

New userid: "Rodent of Unusual Size <Ken.Coar@Golux.Com>".

You can also get these public keys from a previous distribution of Apache that you have installed, or from a public key server. When you download a new distribution from the apache.org site make sure you have downloaded the file containing the PGP signature (ending in .asc) that matches the distribution. For example, after downloading apache_1.3.14.tar.gz and apache_1.3.14.tar.gz.asc you can check the distribution with one command:

$ pgp apache_1.3.14.tar.gz.asc
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Export of this software may be restricted by the U.S. government.

File 'apache_1.3.14.tar.gz.asc' has signature, but with no text.
Text is assumed to be in file 'apache_1.3.14.tar.gz'.
Good signature from user "Mark Cox <mark@awe.com>".
Signature made 2000/10/10 20:33 GMT

Users of GPG should use the command line options of gpg --import KEYS and gpg --verify apache_1.3.14.tar.gz.asc

O'Reilly Open Source Convention 2001

San Diego, California plays host to this key conference between July 23rd and 27th, and brings together the leaders of more than 14 critical open source technologies - including Apache - to give you an inside look at how to configure, optimise, code, and manage them.

Apache Week visited the last convention held in Monterey in July 2000. Our conclusion was that even if you were not interested in any of the other tracks such as Perl or Python, there were plenty of talks and tutorials relevant to Apache users, although a number of them were direct copies or updates of talks given at previous Apache conferences such as ApacheCon. Apache Week talked to a large number of the attendees of the conference and the overall impression was very positive. The only real complaint was in the number of simultaneous talks, making it very hard to choose a schedule.

Apache Week will be there again this year, and notable Apache-bods on the speakers list include Stas Bekman, Ryan Bloom, Ask Bjoern Hansen, Rasmus Lerdorf, Doug MacEachern, Greg Stein, and Jon Stevens. If all those names are not enough to tempt you, there's a feast of activities including our favourite which involves Fajitas, Margaritas, and a dance floor.

Register now, or find out more at at the conference web site. Read our account of the 2000 Convention.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

CNET reviews Apache 2.0.16 Beta and suggests that administrators who are interested to upgrade to Apache 2.0 prepares for the stable release by installing the beta on a development machine. Then test the new features and benchmark its performance in order to speed up the eventual upgrade process.

In "The Apache XML Project: How To Get Read All Over", Software Development magazine walks you through a project that uses Java, Jakarta Tomcat and Cocoon to serve XML documents.

Paul Adams shows you how to generate images on the fly using PHP and GD library. He also talks about alternative methods that use GIMP or Flash Generator.