OT: Apache Version Used

Tue Dec 21 12:40:38 EST 2004

Your completely correct, the core php code IS thread safe. It's all the
external libraries that aren't. Given however the fact that 90% of what
people use php for is the external libraries, what you have then  is a
set of about 2 dozen function calls and some if() statements and while()
loops that are thread safe :)

Unfortunately, the problem doesn't completely fall on the  developers of
the php modules either, because most of the time, they are using third
party libraries that are not thread safe themselves. i.e. the mysql guys
don't make the php mysql module, since the mysql module writer can only
use the mysql library, if Monty doesn't make the mysql library thread
safe, the php module wont be either..

Granted, since it's really a threading issue, like you mentioned
earlier, running apache2 in forked mode should be fine..so I guess it's
more of a php & apache2 threaded vs php & apach2 pfm.

Oh, and in reality, it'd be a cold day in hell to have the php module
guys "clean up" the php modules for thread safety. Theres still a large
number of php modules that haven't even been changed from php3 to php4
internals, and a VERY large number of php modules that haven't been
changed from php4 to php5 internals..and as we all know, cleaning up
code is a pretty boring job :) why would a php module guy bother
cleaning up old code when he can do kool new fancy stuff?

A couple more readings:

http://blog.coggeshall.org/archives/174_Apache_2.0,_My_Two_Cents.html

http://drbacchus.com/wordpress/index.php?p=844

-----Original Message-----
From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org] On Behalf Of
Brad Bartram
Sent: Tuesday, December 21, 2004 12:19 PM
To: nflug at nflug.org
Subject: Re: OT: Apache Version Used

To clairfy a little bit, this really isn't an Apache problem, nor is it
truly 
a PHP problem.  This falls squarely on the shoulders of the developers
of php 
modules.

Mark will probably disagree, but the very basic core of PHP seems to be
stable 
and even safe under Apache 2.  When you begin to add the extra modules
that 
provide the useful functions to PHP is when you intrduce instability and

problems.  This entire incompatibility comes from thread safety and
proper 
coding practices in the extra and third party modules.

My memory isn't perfect but I believe there is a nice writeup about this

subject right on php.net.  The exact url is a mystery for teh reader to 
decipher.  ;)

brad

On Tuesday 21 December 2004 11:28 am, Cyber Source wrote:
> ouch, the word "NEVER". The folks at Apache would probably disagree.
In
> my experience I have found only certain instances in which words like
> "NEVER" should appear when talking about software development, like,
> "Words like never and always should NEVER be used when software
> development is the context", or something like that, lol ;)
>
> Mark Musone wrote:
> >Well, with the apache case it's a little different, it's not just old
> >veruss new, because as Brad said, you shouldn't use php on apache2.
php
> >will most likely NEVER be stable or suggested for apache2. So this is
> >possibly a case where there are reasons for using the old software.
> >(personally, I just about always use apache1)
> >
> >-Mark
> >
> >
> >-----Original Message-----
> >From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org] On Behalf
Of
> >Cyber Source
> >Sent: Tuesday, December 21, 2004 8:48 AM
> >To: nflug at nflug.org
> >Subject: Re: OT: Apache Version Used
> >
> >You should heed Brad's advise. I only know Brad briefly but he made a
> >really nice presentation once at an nflug meeting and does have alot
of
> >knowledge when it comes to security. However, I don't think you
should
> >not make your decision based on the thinking that your safer staying
> >with older software (obscurity = security). Software would never
advance
> >
> >like that and updates are for fixing, amongst other things, security
> >holes, bugs, etc.. Apache should also not be blamed for what it has
no
> >control over, like the php packages on your system. I know this from
> >experience as the php packages that came with RH9 rpm's were badly
> >broken because I was working with the developer for FreeMED and he
> >developed his (php) FreeMED package on a debian box (different php,
same
> >
> >versioning but compiled differently with the rpm's). So we tried just
> >putting his FreeMED package on a FC1 box (same Apache version) and
all
> >was well. Before I got into RH and FC, I had a Mandrake server get
> >hacked because I didn't keep the packages up to date and one of the
> >packages had a security hole.
> >So, I would advise to stay current and edit your /etc/aliases file to
> >put a real email address for your root mail on the box (don't forget
to
> >start sendmail or equiv.) and keep an eye on your logs.
> >
> >Timothy Domst wrote:
> >>So since I am planning on a rudimentary server and I have that
manual
> >>I should just use 1.3 until I have a reason to do otherwise.
> >>
> >>On Dec 20, 2004, at 10:03 PM, Brad Bartram wrote:
> >>>Ahh - the old 1 vs 2 debate. ;-)
> >>>
> >>>What you use should depend largely on what you are using the server
> >>>for. If
> >>>you are using the server for php or pretty much most of the
> >
> >interpreted
> >
> >>>langauages like php, the answer is a resounding 1.3. Apache 2 and
php
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>should
> >>>not be used in a production or live environment due to the security
> >
> >and
> >
> >>>stability issues that are raised.
> >>>
> >>>If you are using Apache with an external interpreter such as Tomcat
> >>>or the
> >>>like, then using Apache 2 is the hands down winner.
> >>>
> >>>The reason for the difference is really the same - threads. Apache
2
> >>>can use
> >>>a threaded operation that makes it perfect for a multithreaded
> >>>application
> >>>like tomcat but inherently unsafe for php.
> >>>
> >>>Just my $.02
> >>>
> >>>And to stay on topic - I use apache as I outlined above. In the
rare
> >>>instance
> >>>I need both Tomcat and php support, I either divide the load using
> >>>redirection and forwarding or if I need it all on one server I
> >
> >sacrifice
> >
> >>>Tomcat / apache performance and use 1.3 series.
> >>>
> >>>brad
> >>>
> >>>On Monday 20 December 2004 9:22 pm, Timothy Domst wrote:
> >>>>Have you ever used 2? Does 1 give you any problems?
> >>>>
> >>>>On Dec 20, 2004, at 6:01 PM, Joshua Ronne Altemoos wrote:
> >>>>>I use 1.3 becuase that is the default for slack10 which is on my
> >>>>>server
> >>>>>
> >>>>>
> >>>>>On Mon, 20 Dec 2004 17:35:24 -0500, Timothy Domst
> >>>>>
> >>>>><timothy.domst at verizon.net> wrote:
> >>>>>>I have SuSE 9.1 installed and it has Apache 2 on it, but I
messed
> >
> >up
> >
> >>>>>>the settings or something. I have a book about Apache 1, and I
had
> >
> >it
> >
> >>>>>>working well before when I had 9.0. Should I just install Apache
1
> >>>>>>and
> >>>>>>forget about 2? I would like to know what people with home
servers
> >>>>>>use.
> >>>>>>i
> >>>>>>Someone posted a link to Novell a while ago that got people on a
> >
> >list
> >
> >>>>>>for their Linux Technical Resource Kit. I'd like to thank them
> >>>>>>because
> >>>>>>I got one and it's conveniently got a bootable SuSE 9.1 DVD on
it.
> >>>>>>The
> >>>>>>other stuff is on .iso files, though, and I tried to make
bootable
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>CDs
> >>>>>>out of them but I couldn't. How do I install these files?
> >>>>>
> >>>>>--
> >>>>>Have A Good Day,
> >>>>>Joshua Ronne Altemoos
> >>>>>joshua.altemoos at gmail.com