In this issue

Ryan Bloom announced on Tuesday that he was taking an indefinite break from Apache HTTP server development. Ryan had a defining role in the creation of Apache 2.0 with his work on the APR portability library, and has continued to be involved in 2.0 development throughout its history.

In his parting message, Ryan mentioned that he had been working on TLS upgrade support for Apache 2.0; a long sought-after feature for SSL servers. The TLS upgrade protocol (as specified in RFC 2817) allows a client to begin an HTTP session to a plain HTTP port, and then upgrade to SSL on the same connection. This technique solves several problems; notably that SSL virtual hosting can be done based on hostname rather than IP address, since the HTTP request will include a Host header which can be interpreted by the server before the SSL negotiation takes place. However, there is no support for RFC 2817 in deployed web browsers and servers, and some experts have stated that the current protocol is "pretty badly broken".

A topic producing a large volume of mail over the last week was a proposal to create new branches for continued development of Apache 2.0. The proposal involves maintenance of two separate branches in CVS; "development" and a "stable" trees, in a manner similar to the Linux kernel. Major new features would only be added to the "development" tree; the "stable" tree would accept only backwards-compatible bug and security fixes.

The manager's terminal in a network of web-enabled smart terminals running Linux has an embedded Apache web server. The terminals are being installed in all of the Burger King restaurants in Puerto Rico.

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Apache: More than a Web server" reveals other interesting projects under the Apache Software Foundation umbrella. The author uses Apache projects such as PHP, Tomcat, Xerces, Xalan, Cocoon, James, JetSpeed, Xindice, and Axis because they are free, have decent documentation, and are stable enough for a production environment.

The recent vulnerabilities uncovered in the Apache web server and OpenSSL toolkit lead eWeek to evaluate the security of open source software in "Open Source: A False Sense of Security?". Citing the opinions of various parties with experience in both open source and proprietary software, the consensus seems to be that open source software is not automatically more secure but generally the open source development model enables flaws to be fixed quicker thus allowing greater security.

A technical report entitled "Two Case Studies of Open Source Software Development: Apache and Mozilla" can now be downloaded in PDF format, which examines the claims that open source software development methods are comparable to, if not better than (in some cases) traditional commercial development methods. It forms several hypotheses by analysing data from the Apache and Mozilla project, and concludes with the expectation that a hybrid process will be adopted in the future.