[Previous] [Next] [Index]
[Thread]
Re: re:ncsa security problems
/*
* "re:ncsa security problems" by spowers@shire.ncsa.uiuc.edu (Scott Powers)
* written Thu, 13 Apr 1995 12:45:18 -0500 (CDT)
*
* Have _you_ looked at the cern code? For one, it is huge. For two,
* it is spaghetti. It is very difficult code to read which is for the
* most part completely undocumented. Kudos to whomever does check it
* out _and_ can stand by his/her word that it is completely safe.
[...]
* NCSA's httpd is the leader in problems because it is more widely
* used.
*/
Have _you_ looked at the NCSA httpd code? It was so bad by last March
that even _I_ didn't understand a lot of it anymore, and I wrote all
of it. And the CERN server is pristine in documentation compared to my
code. There are about four comments in all of NCSA httpd 1.3, and they
mostly have to do with people owing me beer or about how much some
version of UNIX sucks. I won't argue that the CERN server isn't too
big, nor will I argue that it's easy to understand, but time has shown
that it is the more stable code base of the two.
NCSA's httpd is the leader in problems because it was developed under
heavy pressure by somebody who didn't expect it to get as big as it
did, and because that somebody made some really poor design
decisions. The only way its widespread use had anything to do with it
is that I spent most of my time at NCSA not developing, but answering
the > 100 e-mails I got daily from people setting up servers.
I'm glad to see the Apache group picking up the torch, and I hope that
between NCSA's work and theirs the NCSA httpd code base will become a
little more robust.
And hopefully with these latest holes, the NCSA server team will put a
little more thought and and a LOT more testing into the security
problems in that code, and won't just throw some patch over the wall
claiming their servers are now "safe".
--Rob
References: