Re: checklink credits from Terje Bless on 2004-01-06 (public-qa-dev@w3.org from January 2004)

From: Terje Bless <link@pobox.com>
Date: Tue, 6 Jan 2004 13:36:59 +0100
To: QA Dev <public-qa-dev@w3.org>
Cc: Ville Skyttä <ville.skytta@iki.fi>, Dominique Hazaël-Massieux <dom@w3.org>
Message-ID: <r02010000-1032-06179C44404511D8ABA70030657B83E8@[193.157.66.23]>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dominique Hazaël-Massieux <dom@w3.org> wrote:

>Le mar 06/01/2004 à 01:16, Ville Skyttä a écrit :
>>Note also that since 1.3.$something, Apache needs to be built with
>>-DSECURITY_HOLE_PASS_AUTHORIZATION or checklink will need to be running
>>under mod_perl, otherwise the basic auth forwarding trickery will not
>>work at all.  More info:
>>http://httpd.apache.org/dev/apidoc/
>>apidoc_SECURITY_HOLE_PASS_AUTHORIZATION.html I don't know why v.w.o
>>does not seem to be affected, in theory I believe basic auth forwarding
>>for validator and checklink should not work at all there at the moment.
>
>We're using a trick to work around this security setting; it's the same
>trick as the one detailed e.g. in
>http://mail.zope.org/pipermail/zope/2001-April/088252.html

Which is why I'm inclined to ditch this behaviour alltogether, in favour of
requiring Apache+mod_perl for the CGI version. Then again, I don't make use of
the auth-proxy feature so I'm kinda ignoring the issue for now.

A requirement for a recompiled (with insecure settings no less) Apache is not
acceptable; except this is for an add-on feature and not basic functionality.

I know Gerald wanted it to behave this way — I asked once earlier about
ditching this — but I think the main issue is satisfying the underlying needs
(i.e. easy auth for w3.org protected pages) so an alternate approach would
probably do.

Since this is a common need for both the Validator and the Link Checker, and a
well contained piece of code, this might be a perfect opportunity to begin the
modularization and sharing code between the two. W3C::MarkUp::Util::AuthProxy?

Opinions?

- -- 
These are the same customers you are referring to whom Microsoft thought
would need MS Bob and the Talking Paperclip?   One thing is to give them
enough rope to hang themselves,  but a boobytrapped thermonuclear weapon
running on a rand(time) countdown... Is that really wise? - Me to MS rep.

-----BEGIN PGP SIGNATURE-----
Version: PGP SDK 3.0.3

iQA/AwUBP/qr6qPyPrIkdfXsEQKUHQCdFCTcLDUlaa+qed0siAiHJieQO9cAn1d+
lRCihfvMrmrVA2AA6HJb3ppu
=jmhA
-----END PGP SIGNATURE-----

Received on Tuesday, 6 January 2004 07:37:21 UTC