| APACHE 2.5 STATUS: -*-text-*- |
| Last modified at [$Date$] |
| |
| The current version of this file can be found at: |
| |
| * http://svn.apache.org/repos/asf/httpd/httpd/trunk/STATUS |
| |
| Documentation status is maintained separately and can be found at: |
| |
| * docs/STATUS in this source tree, or |
| * http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/STATUS |
| |
| Consult the following STATUS files for information on related projects: |
| |
| * http://svn.apache.org/repos/asf/apr/apr/trunk/STATUS |
| |
| Patches considered for backport are noted in their branches' STATUS: |
| |
| * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/STATUS |
| * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/STATUS |
| * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/STATUS |
| |
| |
| Release history: |
| [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases, |
| while x.{even}.z versions are Stable/GA releases.] |
| |
| 2.5.1 : In development |
| 2.5.0 : Tagged on November 8, 2017. Not released. |
| |
| Contributors looking for a mission: |
| |
| * Just do an egrep on "TODO" or "XXX" in the source. |
| |
| * Review the bug database at: http://issues.apache.org/bugzilla/ |
| |
| * Review the "PatchAvailable" bugs in the bug database: |
| |
| https://issues.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&product=Apache+httpd-2&keywords=PatchAvailable |
| |
| After testing, you can append a comment saying "Reviewed and tested". |
| |
| * Open bugs in the bug database. |
| |
| * See also the STATUS file in the docs/ directory, which lists documentation-specific TODO items. |
| |
| |
| CURRENT RELEASE NOTES: |
| |
| |
| RELEASE SHOWSTOPPERS: |
| |
| |
| CURRENT VOTES: |
| |
| |
| THINGS THAT SHOULD BE CONSIDERED EARLY IN THE 2.6/3.0 DEVELOPMENT CYCLE: |
| |
| * Remove directives whose purpose was to preserve existing buggy behaviour |
| in v2.4.x. |
| |
| * Re-align structures to be memory efficient. Move bit fields to the |
| top of structures so that they can be extended without adding a |
| memory overhead. |
| |
| * Seriously ramp up/replace test framework and cases to have better |
| coverage of existing special cases and behaviours users rely on. |
| |
| * Add performance testing to the test framework. |
| |
| * Competely untangle core filesystem behavior where a filesystem htdocs/ |
| resource wasn't indicated by the request URI. |
| |
| * Refactor r->uri into a %escaped raw form presented by the client, and |
| a distinct decoded field used only for local filesystem access. |
| |
| * Change default prefix from /usr/local/apache2 to something corresponding |
| to the project name. Rename apachectl to httpdctl. |
| |
| * Change merge order of <Location> to be most specific match last. This |
| is more consistent with <Directory> and allows some optimizations for the |
| location merge code. |
| |
| * Detect Lua 5.2.0 during configure and add LUA_COMPAT_ALL to CPPFLAGS. |
| Maybe it even suffices to add LUA_COMPAT_MODULE and individually |
| care about the two remaining incompatible code lines (one with lua_strlen, |
| one with lua_objlen). |
| |
| * Event's timeout_mutex to enter keepalive state probably needs some |
| analysis/attention. |
| |
| * Better H2 integration? |
| - adding handling of slave connections to mpm, no extra H2 workers, |
| triggering "events" read/write/timer from main/slave |
| - add slave writes/done/abort to events that wake up master connection |
| - disentangle core filters to server one purpose only, so that H2 |
| versions can reuse them properly. |
| |
| * Remove mod_access_compat? |
| |
| * Ditch platforms/89/old prereqs or anything else? |
| |
| * Leverage libmill? Drop serf? |
| |
| * Better abstraction of slave connections and "requests". |
| - add abstraction for "response" as something that can be passed |
| through filters. To be serialized into the correct HTTP bytes on |
| the main connection. |
| - solve multi-threaded access to master connection props/module conf |
| (e.g. ssl vars) |
| |
| * make mod_ssl more "core"? |
| |
| * add high-level server configuration directives that can steer/influence |
| module defaults/warn/rejects related to security |
| |
| * Ditch HTTP/0.9? At least, make HttpProtocolOptions Require1.0 the default. |
| |
| * Restructure merge fn table/indexes to ignore modules with no directives, |
| and permit modules with dozens upon dozens of merge values to split these |
| into multiple functional config groups to avoid excessive merging. |
| Retitle from 'per-dir' to 'per-location' to better reflect the always-run |
| sections (location, ifexpr etc), while we phase out the file-oriented |
| bias from httpd. |
| |
| * New versioning or release cadence. |
| |
| * Ditch old APIs when we have the chance with 3.x. Consolidate current |
| functionality into APIs with stronger guarantees. (Specific examples TBD.) |
| |
| * Remove as many undesirable-but-kept-for-backwards-compatibility behaviors |
| as possible from current config directives. (Specific examples TBD.) |
| |
| * True event-loop/asynchronous support in the server core. |
| |
| * Modify configuration syntax to separate meta-directives from runtime |
| directives (e.g. If vs. IfVersion). Allow as much static analysis of the |
| configuration as possible without needing to start the server to figure out |
| what's going on. |
| |
| * Support JSON-like configuration files |
| |
| * Support YAML based configuration files (JSON does not support comments) |
| |
| * Opaque data structures w/ getters/setters |
| |
| * Generic interface to enable runtime changes (adjusting log level, modifying |
| balancer information, toggling flags on/off). Perhaps modules can register |
| callbacks for making these changes? |
| |
| * REST-based administration for existing (balancer/etc) and new dynamic |
| runtime changes (see above) |
| |
| * Improve the look of generated pages (status, load-balancer...) with dynamic |
| update of the values. Generate HTML5 pages, instead of 3.2, Get rid of XHTML |
| in the generated pages. |
| |
| * Add performance monitoring of the server, of each module (?), in order to help |
| understanding what worth looking at in order to improve overall performance. |
| (https://cdn.wp.nginx.com/wp-content/uploads/2016/12/Amplify-Dashboards-page-base-for-filters.png) |
| |
| * Drop CGI-1.1-incompatible behaviors kept for compatibility reasons with |
| "broken" server implementations (PR 51517). (Note that many of them are |
| "broken" *because* of our behaviors.) |
| |
| * Add a "normalized" list of headers for a HTTP response, rather then relying |
| on r->headers_out and r->err_headers_out, since mod_headers' behavior is |
| not really user friendly in some scenarios (example in PR 62380). |
| |
| |
| OLD ISSUES THAT WERE THOUGHT TO BE SHOWSTOPPERS FOR 2.4 BUT OBVIOUSLY WEREN'T: |
| |
| * Handling of non-trailing / config by non-default handler is broken |
| http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=105451701628081&w=2 |
| jerenkrantz asks: Why should this block a release? |
| wsanchez agrees: this may be a change in behavior, but isn't |
| clearly wrong, and even if so, it doesn't seem like a |
| showstopper. |
| |
| * the edge connection filter cannot be removed |
| http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=105366252619530&w=2 |
| http://mail-archives.apache.org/mod_mbox/httpd-dev/200501.mbox/%3C41E30B42.4060202@stason.org%3E |
| jerenkrantz asks: Why should this block a release? |
| stas replies: because it requires a rewrite of the filters stack |
| implementation (you have suggested that) and once 2.2 is |
| released you can't do that anymore. |
| pgollucci: this affects mod_perl I'm pretty sure. |
| |
| |
| RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP: |
| |
| * Clean up all the kruft and *extremely* outdated stuff below... |
| |
| * Maybe remove Limit/LimitExcept or at least make it log warnings when |
| mis-used. |
| |
| * Patches submitted to the bug database: |
| http://issues.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&product=Apache+httpd-2&keywords=PatchAvailable |
| |
| * Filter stacks and subrequests, redirects and fast redirects. |
| There's at least one PR that suffers from the current unclean behaviour |
| (which lets the server send garbage): PR 17629 |
| nd says: Every subrequest should get its own filter stack with the |
| subreq_core filter as bottom-most. That filter does two things: |
| - swallow EOS buckets |
| - redirect the data stream to the upper request's (rr->main) |
| filter chain directly after the subrequest's starting |
| point. |
| Once we have a clean solution, we can try to optimize |
| it, so that the server won't be slow down too much. |
| |
| * pipes deadlock on all platforms with limited pipe buffers (e.g. both |
| Linux and Win32, as opposed to only Win32 on 1.3). The right solution |
| is either GStein's proposal for a "CGI Brigade", or OtherBill's proposal |
| for "Poll Buckets" for "Polling Filter Chains". Or maybe both :-) |
| |
| * All handlers should always send content down even if r->header_only |
| is set. If not, it means that the HEAD requests don't generate the |
| same headers as a GET which is wrong. |
| |
| * exec cmd and suexec arg-passing enhancements |
| Status: Patches proposed |
| Message-ID: <20020526041748.A29148@prodigy.Redbrick.DCU.IE> |
| (see the "proc.patch" and "suexec-shell.patch" links in this message) |
| |
| * The 2.0.36 worker MPM graceless shutdown changes work but are |
| a bit clunky on some platforms; eg, on Linux, the loop to |
| join each worker thread seems to hang, and the parent ends up |
| killing off the child with SIGKILL. But at least it shuts down. |
| |
| chrisd: Has this been fixed by the changes for PR 38737? |
| |
| * We do not properly substitute the prefix-variables in the configuration |
| scripts or generated-configs. (i.e. if sysconfdir is etc, |
| httpd-std.conf points to conf.) |
| |
| * If any request gets through ap_process_request_internal() and is |
| scheduled to be served by the core handler, without a flag that this |
| r->filename was tested by dir/file_walk, we need to 500 at the very |
| end of the ap_process_request_internal() processing so sub_req-esters |
| know this request cannot be run. This provides authors of older |
| modules better compatibility, while still improving the security and |
| robustness of 2.0. |
| |
| Status: still need to decide where this goes, OtherBill comments... |
| Message-ID: <065701c14526$495203b0$96c0b0d0@roweclan.net> |
| [Deleted comments regarding the ap_run_handler phase, as irrelevant |
| as BillS points out that "common case will be caught in |
| default_handler already (with the r->finfo.filetype == 0 check)" |
| and the issue is detecting this -before- we try to run the req.] |
| |
| gregames says: can this happen somehow without a broken module |
| being involved? If not, why waste cycles trying to defend against |
| potential broken modules? It seems futile. |
| wrowe counters: no, it shouldn't happen unless the module is broken. |
| But the right answer is to fail the request up-front in dir/file |
| walk if the path was entirely invalid; and we can't do that either |
| UNTIL 2.1 or we break modules that haven't hooked map_to_storage. |
| |
| * Can a static httpd be built reliably? |
| Message-ID: <20020207142751.T31582@clove.org> |
| |
| * Usage of APR_BRIGADE_NORMALIZE in core_input_filter should be |
| removed if possible. |
| Message-ID: |
| <Pine.LNX.4.33.0201202232430.318-100000@deepthought.cs.virginia.edu> |
| Jeff wonders if we still care about this. It is no longer an |
| API issue but simply an extra trip through the brigade. |
| |
| * Try to get libtool inter-library dependency code working on AIX. |
| Message-ID: <cm3n10lx555.fsf@rdu163-40-092.nc.rr.com> |
| |
| Justin says: If we get it working on AIX, we can enable this |
| on all platforms and clean up our build system somewhat. |
| Jeff says: I thought I tested a patch for you sometime in |
| January that you were going to commit within a few days. |
| |
| * Handling of %2f in URIs. Currently both 1.3 and 2.0 |
| completely disallow %2f in the request URI path (see |
| ap_unescape_url() in util.c). It's permitted and passed |
| through in the query string, however. Roy says the |
| original reason for disallowing it, from five years ago, |
| was to protect CGI scripts that applied PATH_INFO to |
| a filesystem location and which might be tricked by |
| ..%2f..%2f(...). We *should* allow path-info of the |
| form 'http://foo.com/index.cgi/path/to/path%2finfo'. |
| Since we've revamped a lot of our processing of path |
| segments, it would be nice to allow this, or at least |
| allow it conditionally with a directive. |
| |
| OtherBill adds that %2f as the SECOND character of a multibyte |
| sequence causes the request to fail! This happens notably in |
| the ja-jis encoding. |
| |
| * There is increasing demand from module writers for an API |
| that will allow them to control the server à la apachectl. |
| Reasons include sole-function servers that need to die if |
| an external dependency (e.g., a database) fails, et cetera. |
| Perhaps something in the (ever more abused) scoreboard? |
| |
| On the other hand, we already have a pipe that goes between parent |
| and child for graceful shutdown events, along with an API that |
| can be used to send a message down that pipe. In threaded MPMs, |
| it is easy enough to make that one pipe be used for graceful |
| and graceless events, and it is also easy to open that pipe |
| to both parent and child for writing. Then we just need to |
| figure out how to do graceless on non-threaded MPMs. |
| |
| * Allow the DocumentRoot directive within <Location > scopes? This |
| allows the beloved (crusty) Alias /foo/ /somepath/foo/ followed |
| by a <Directory /somepath/foo> to become simply |
| <Location /foo/> DocumentRoot /somefile/foo (IMHO a bit more legible |
| and in-your-face.) DocumentRoot unset would be accepted [and would |
| not permit content to be served, only virtual resources such as |
| server-info or server-status. |
| This proposed change would _not_ deprecate Alias. |
| striker: See the thread starting with Message-ID: |
| JLEGKKNELMHCJPNMOKHOGEEJFBAA.striker@apache.org. |
| |
| * Win32: Rotatelogs sometimes is not terminated when Apache |
| goes down hard. FirstBill was looking at possibly tracking the |
| child's-child processes in the parent process. |
| stoddard: Shared scoreboard might offer a good way for the parent |
| to keep track of 'other child' processes and whack them if the child |
| goes down. |
| Other thoughts on walking the process chain using the NT kernel |
| have also been proposed on APR. |
| |
| * Eliminate unnecessary creation of pipes in mod_cgid |
| |
| * Combine log_child and piped_log_spawn. Clean up http_log.c. |
| Common logging API. |
| |
| * Platforms that do not support fork (primarily Win32 and AS/400) |
| Architect start-up code that avoids initializing all the modules |
| in the parent process on platforms that do not support fork. |
| |
| * There are still a number of places in the code where we are |
| losing error status (i.e. throwing away the error returned by a |
| system call and replacing it with a generic error code) |
| |
| * Mass vhosting version of suEXEC. |
| |
| * All DBMs suffer from confusion in support/dbmmanage (perl script) since |
| the dbmmanage employs the first-matched dbm format. This is not |
| necessarily the library that Apache was built with. Aught to |
| rewrite dbmmanage upon installation to bin/ with the proper library |
| for predictable mod_auth_dbm administration. |
| Questions; htdbm exists, time to kill dbmmanage, or does it remain |
| useful as a perl dbm management example? If we keep it, |
| do we address the issue above? |
| |
| * Integrate mod_dav. |
| Some additional items remaining: |
| - case_preserved_filename stuff |
| (use the new canonical name stuff?) |
| - find a new home for ap_text(_header) |
| - is it possible to remove the DAV: namespace stuff from util_xml? |
| |
| * ap_core_translate() and its use by mod_mmap_static and mod_file_cache |
| are a bit wonky. The function should probably be exposed as a utility |
| function (such as ap_translate_url2fs() or ap_validate_fs_url() or |
| something). Another approach would be a new hook phase after |
| "translate" which would allow the module to munge what the |
| translation has decided to do. |
| Status: Greg +1 (volunteers) |
| |
| * Explore use of a post-config hook for the code in http_main.c which |
| calls ap_fixup_virutal_hosts(), ap_fini_vhost_config(), and |
| ap_sort_hooks() [to reduce the logic in main()] |
| |
| * read the config tree just once, and process N times (as necessary) |
| |
| * (possibly) use UUIDs in mod_unique_id and/or mod_usertrack |
| |
| * (possibly) port the bug fix for PR 6942 (segv when LoadModule is put |
| into a VirtualHost container) to 2.0. |
| |
| * shift stuff to mod_core.h |
| |
| * callers of ap_run_create_request() should check the return value |
| for failure (Doug volunteers) |
| |
| * Fix the worker MPM to use POD to kill child processes instead |
| of ap_os_killpg, regardless of how they should die. |
| |
| chrisd: Is this done, by any chance? See r92598 and r93358. |
| |
| * Scoreboard structures could be changed in the future such that |
| proper alignment is not maintained, leading to segfaults on |
| some systems. Cliff posted a patch to deal with this issue but |
| later recanted. See this message to dev@apr.apache.org: |
| Message-ID: |
| <Pine.LNX.4.44.0203011354090.16457-200000@deepthought.cs.virginia.edu> |
| |
| * APXS either needs to be fixed completely for use when apr is out of tree, |
| or it should drop query mode altogether, and we just grow an |
| httpd-config or similar arrangement. |
| To quote a discussion in STATUS earlier: |
| |
| thommay: this doesn't fix all the problems with apxs and out of |
| tree apr/apr-util, but it's a good start. There's still the |
| query cases; but I'm beginning to think that in these cases |
| the app should be querying ap{r,u}-config directly |
| deprecate -q: add htpd-config: gstein, pquerna, minfrin, pgollucci |
| other: |
| |
| TODO ISSUES REMAINING IN MOD_SSL: |
| |
| * SSLRequire directive (parsing of) leaks memory |
| |
| * ssl_var_lookup could be rewritten to be MUCH faster |
| |
| WISH LIST |
| * mod_proxy: Ability to run SSL over proxy gateway connections, |
| encrypting (or reencrypting) at the proxy. |
| |
| * mod_cache: Handle ESI tags. |
| |
| * mod_cache: Resolve issue of how to cache page fragments (or perhaps |
| -if- we want to cache page fragments). Today, mod_cache/mod_mem_cache |
| will cache #include 'virtual' requests (but not #include 'file' |
| requests). This was accomplished by making CACHE_IN a |
| CONTENT_SET-1 filter to force it to run before the SUBREQ_CORE |
| filter. But now responses cannot be cached that include the |
| effects of having been run through CONTENT_SET filters |
| (mod_deflate, mod_expires, etc). We could rerun all the |
| CONTENT_SET filters on the cached response, but this will not |
| work in all cases. For example, mod_expires relies on installing |
| the EXPIRATION filter during fixups. Contents served out of |
| mod_cache (out of the quick_handler) bypass -all- the request |
| line server hooks (Ryan really hated this. It is great for |
| performance, but bad because of the complications listed above). |
| |
| mod_cache/mod_mem_cache/mod_cache_disk: |
| |
| * mod_mem_cache: Consider adding a RevalidateTimeout directive to |
| specify time at which local cached content is to be revalidated |
| (ie, underlying file stat'ed to see if it has changed). |
| |
| * mod_mem_cache/mod_cache_disk: Need to be able to query cache |
| status (num of entries, cache object properties, etc.). |
| mod_status could be extended to query optional hooks defined |
| by modules for the purpose of reporting module status. |
| mod_cache (et. al.) could define optional hooks that are called |
| to collect status. Status should be queryable by |
| HTTP or SNMP? |
| jerenkrantz says: Yawn. Who cares. |
| |
| * Regex containers don't work in an intuitive way |
| Status: No one has come up with an efficient way to fix this |
| behavior. Dean has suggested getting rid of regex containers |
| completely. |
| OtherBill suggests: We at least seem to agree on eliminating |
| the <Container ~ foo> forms, and using only |
| <ContainerMatch foo> semantics. |
| |
| * orig_ct in the byterange/multipart handling may not be |
| needed. Apache 1.3 just never stashed "multipart" into |
| r->content_type. We should probably follow suit since the |
| byterange stuff doesn't want the rest of the code to see the |
| multipart content-type; the other code should still think it is |
| dealing with the <orig_ct> stuff. |
| Status: Greg volunteers to investigate (esp. since he was most |
| likely the one to break it :-) |
| |
| EXPERIMENTAL MODULES: |
| |
| Experimental modules should eventually be be promoted to fully supported |
| status or removed from the repository entirely (ie, the |
| 'experiment' failed). This section tracks what needs to happen to |
| get the modules promoted to fully supported status. |
| |