mark :: blog :: apacheweek
We've not really given Apache Week any priority in the last few months -- in fact we've not posted a new issue since October 2004. So I'm glad we didn't rename it Apache Month. Time to register apachewhenthereissomethinginteresting.com.
Anyway, the most useful thing that I've kept up to date in Apache Week is the database of vulnerabilities that affects the Apache Web server v1.3 and v2.0. This list was even being linked to directly by httpd.apache.org so I made good on a promise I made a year ago and moved the database to the official site. Apache Week uses xslt for transforming the database, but the Apache site used velocity for page markup, but no one seemed to mind me adding ant-trax.jar to the site so the database gets converted from xslt to the page format that gets marked up by velocity. The end result is
a couple of nice HTML pages on the official Apache site that list all the vulnerabilities that is easy for us to keep up to date.
As I was commiting the template for this weeks issue of Apache Week I noticed that it has now been exactly eight years since I wrote the first issue. Back then Apache wasn't so popular and the documentation was lacking. Apache Week was designed specifically to give administrators the confidence to try the Apache web server on their machines without having to parse the hundreds of messages each week on the developer mailing list. That first issue was written over a 64k ISDN dial-up line from a computer perched on stark IKEA tabletop. Friday afternoons were spent writing up what had happened during the week. Not much has changed. Actually, I think that IKEA tabletop is still sitting in storage somewhere at Red Hat in Guildford. I wish I'd kept hold of it, it would have been useful for my girlfriends sons train layout.
Over the years there have been many times when we've thought about stopping production, usually when a competitor announced some other Apache magazine that we thought would do a better job than we do. But most of them gave up. They probably realised that there wasn't any money to be made from an Apache httpd journal.
UK Web became C2Net which became Red Hat, and Apache Week is still going strong. We'll have to think of something exciting to do for our tenth birthday.
Two hours searching the web trying to find a S/KEY OTP or OPIE generator for my new Pocket PC. Another hour trying to get a Java environment running on it and failing to remember how to write Java that doesn't run inside of Applets. Annoyed and frustrated I found the C source to OPIE, grabbed the VC++4.0 embedded studio from Microsoft and within an hour had knocked together a hacky app. It's not pretty (I thought I'd banished such things as CStrings and LPCSTR pointers to the back of my memory) but it works.
I wrote some stuff for Apache Week about the new Apache Planet aggregator, and Joe wrote up the Bugtraq wont-die thread about leaking fds.
Had an interesting week wading through vulnerability details and the various advisories which never really seem to match the facts. Take one Linux vendor for example who got confused about the Oracle mod_dav vulnerability and, even though they were not affected by the vulnerability, released new Apache mod_dav packages. To add to the confusion their newly released errata packages had actually added a patch which added in the vulnerability. So they started out not vulnerable, but then released a patch which was meant to remove the vulnerability but actually really made them vulnerable. No wonder folks are confused. Wrote a bit of a rant about it in Apache Week this week.
Ploughed through the cvs commits and created a
plausible Announcement file for Apache 1.3.22. Held off
releasing Apache Week until the mirrors caught up, but /.
found the tarballs so released it a little early. Took some
time to write some scripts to tidy up the past 265 issues
for bad tags, all modules and directives are marked as such
CVE Worked with the Mitre guys so that the Apache
vulnerabilities in 1.3.20 get described correctly, all went
Spent half a day debugging XSL stylesheets that worked fine
with libxml/libxslt but didn't work at all in Microsoft
IE. Turns out we had some errors in the XSL that libxslt
didn't care about.
The outcome is if you're using IE6 try this link:
It really will load the XML for the issue, load the
stylesheets and the navigation bar, then parse them to
create the HTML output. Do "view source" if you don't
Now that my builder has run CAT-5 through my new house
(yeah, I have wireless but I want to run secure links and s-
video over CAT-5) I wish I'd got them to run all the
lighting cables separately too so I could X10 them without
having to have the horrible UK X10 replacement
Spent a very very large number of hours converting the old
Apache Week site to completely use XML throughout. This
meant going through 257 back issues that had been written
with poor HTML (missing closing tags, no paragraph opens and
closes). Fortunately the w3c HTML-tidy and some perl did
90% of the work, leaving just 12 hours of manual labour.
If you visit the site you can get the XML and XSLT source if
try hard enough :)
Another week, mostly spent trying to find somewhere to live
in Glasgow. I've found my ideal house, it looks rather
like the Stronghold castle logo which is slightly
worrying. More fun creating various XSLT files to convert
Apache Week bits and bobs into the right formats; the current
issue is all XML built now, as anyone who received the
text version full of &#A0; codes instead of spaces will
Larry Wall last week was commenting on debuggers and
said "I don't use them; I'm more of an insert-print-
statements guy". Now I have an excuse :)
Back from OSCON to a jetlag and a heatwave. Looks like I
could have got my sunburn/tan here instead of flying 11
hours with a broken seat-back TV and a pounding headache.
Anyway I put up
photos of interest from the conference.
Read what we thought of the tutorials until the end of
this week when we've finished writing up what we thought of
the main sessions.
joe and I combined
talk on XSLT and a talk on Extreme Programming and spent a
few hours in the hotel converting the Apache Week markup
langauge (which was rather like Ventura Publisher markup)
to XML, pair programming, XP-style. It was either that or
watch ABC and play the internet enhanced-TV version of "Who
wants to be a millionaire?"
It's exactly a year ago that I got to visit Monterery
California to report on the 4th O'Reilly Open Source
software convention (Apache Week
issue #208) When I managed to get invited back to San
Diego for this week I thought I'd been given the ideal
assignment; getting to fly to California in July, avoiding
the British rain, and spending a week right on the West
Coast with nearly 2000 other open source advocates. So with
only one direct flight a day from England I was unsuprised
to find a large number of delegates on the plane; wearing
Penguin badges and snapping pictures of the clear views over
Greenland with a variety of digital cameras.
San Diego has great weather, and it's easy to forget that
coming from England, so I managed to get sunburnt. If
you're at the conference this week look out for the pasty
english guys with sunburn. Wireless lans are great; I'm
currently typing this listening to Brian Behlendorf talking
about Apache to a group of people including Larry Wall,
sitting just in front of me.
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
red hat summit,