- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Mon, 06 Sep 2004 17:08:21 +0200
- To: Terje Bless <link@pobox.com>
- Cc: QA Dev <public-qa-dev@w3.org>
* Terje Bless wrote: >It's a good chance that stuff like auth-proxying only works on Apache, which >would mean that we're trying to be "generic CGI" but in practice we only work >on Apache. That would mean we're limiting our options in «check» needlessly. You can make IIS pass HTTP_AUTHORIZATION to a Perl script just like you can do it with Apache. You can also run ActiveState's ISAPI Perl filter and replace checking %ENV for it with some code specific to that. I did not say it runs out of the box and is feature complete, but it works. I should also note that this feature is uninteresting for local installs. >Oh, sorry, I'd thought the perceived benefits of mod_perl would be obvious. There are benefits in using it, whether there are real relevant benefits that justify a dependency on it is a different question. We would already benefit from a number of mod_perl features that do not require to write any mod_perl specific code. >Being a persistent environment you'd eliminate a whole mess of per-invocation >overhead, and you'd have deeper access to the server innards if you need it. >One example of which — that's related to Apache2, not mod_perl as such — would >be that we could offload SSI processing to the mod_include output filter >instead of doing pseudo-SSI internally in our code. That might be possible, it might also be possible to get rid of that through other means. Though I should note that this could be used in combination with I18N and/or escaping bugs to inject malicious SSI directives that allow to read local files. >I was looking for a list of linux distributions, commercial UN*X variants, >etc.; and what versions of these are currently relevant in terms of deployed >base. The intent being to investigate what minimum versions of various >dependencies they ship to determine what we can safely require. I am not convinced that "standard packages" are relevant to our users, it seems perfectly reasonable to me to expect users to install the latest software if they want to use the latest Validator features. I will most certainly not enjoy arguments about our dependencies that include mentioning "standard packages" for some Linux or BSD dists.
Received on Monday, 6 September 2004 15:09:03 UTC