- From: Terje Bless <link@pobox.com>
- Date: Tue, 6 Jan 2004 13:36:59 +0100
- To: QA Dev <public-qa-dev@w3.org>
- Cc: Ville Skyttä <ville.skytta@iki.fi>, Dominique Hazaël-Massieux <dom@w3.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dominique Hazaël-Massieux <dom@w3.org> wrote: >Le mar 06/01/2004 à 01:16, Ville Skyttä a écrit : >>Note also that since 1.3.$something, Apache needs to be built with >>-DSECURITY_HOLE_PASS_AUTHORIZATION or checklink will need to be running >>under mod_perl, otherwise the basic auth forwarding trickery will not >>work at all. More info: >>http://httpd.apache.org/dev/apidoc/ >>apidoc_SECURITY_HOLE_PASS_AUTHORIZATION.html I don't know why v.w.o >>does not seem to be affected, in theory I believe basic auth forwarding >>for validator and checklink should not work at all there at the moment. > >We're using a trick to work around this security setting; it's the same >trick as the one detailed e.g. in >http://mail.zope.org/pipermail/zope/2001-April/088252.html Which is why I'm inclined to ditch this behaviour alltogether, in favour of requiring Apache+mod_perl for the CGI version. Then again, I don't make use of the auth-proxy feature so I'm kinda ignoring the issue for now. A requirement for a recompiled (with insecure settings no less) Apache is not acceptable; except this is for an add-on feature and not basic functionality. I know Gerald wanted it to behave this way — I asked once earlier about ditching this — but I think the main issue is satisfying the underlying needs (i.e. easy auth for w3.org protected pages) so an alternate approach would probably do. Since this is a common need for both the Validator and the Link Checker, and a well contained piece of code, this might be a perfect opportunity to begin the modularization and sharing code between the two. W3C::MarkUp::Util::AuthProxy? Opinions? - -- These are the same customers you are referring to whom Microsoft thought would need MS Bob and the Talking Paperclip? One thing is to give them enough rope to hang themselves, but a boobytrapped thermonuclear weapon running on a rand(time) countdown... Is that really wise? - Me to MS rep. -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.0.3 iQA/AwUBP/qr6qPyPrIkdfXsEQKUHQCdFCTcLDUlaa+qed0siAiHJieQO9cAn1d+ lRCihfvMrmrVA2AA6HJb3ppu =jmhA -----END PGP SIGNATURE-----
Received on Tuesday, 6 January 2004 07:37:21 UTC