Hey Pierre, let me massage your ego a bit before I explain why I think the security guys have a problem with this. First off, I appreciate the work you do for the PHP community! I do recognize you as a leading member of the community. Your opinion clearly has a lot of weight when it comes to PHP on windows. I would LOVE to have you speak at our local PHP meetup! So please do not view what I said previously about the Apachelounge binaries as a slight against you or your opinions on the matter. The same goes for William Rowe and his work for Apache. I know you have stated publicly of your support for the apachelounge binaries. Also I am sure all the apachelounge guys do great work and their contributions are appreciated. As much creditability as the two of you have, the fact of the matter is that the two of you aren't an accredited organization. Like I said before, the binaries can't come from some dude's website for web server enthusiasts. Here are some security issues relating to the issue at hand. 1. How can we be sure that apachelounge site and server is completely hardened against attacks. 2. If their server is hacked, how much longer would we go without knowing than if it was apache.org? Also would we even ever find out about such an incident, because if a breach happened with apache.org it would be all over the news. 3. Are all the people's identities that contribute on the site publicly available. Some of the people may be trustworthy, but how can we say that about all the members of apachelounge. 4. If they are doing this as their hobby, what assurances do we have about the speed at which any security issues are resolved. Now I haven't talked with the security guys about exactly what their concerns are, so that list is just me thinking off the top of my head about what I imagine their concerns to be. I trust them to do their job, so when they say using apachelounge is out of the question, then I must explore what our options are. I'm not sure what you meant about Apache not having any official builds. I know their VC6 builds can be found here. http://httpd.apache.org/download.cgi Maybe you meant VC9 builds. Believe you me, I am painfully aware of that. :) Thanks for the info on Zend. Don't worry I won't troll the list with Zend questions. Regards, -L On Wed, Apr 6, 2011 at 4:48 PM, Pierre Joye <pierre.php@xxxxxxxxx> wrote: > On Wed, Apr 6, 2011 at 6:54 PM, Logan L <lists@xxxxxxxxx> wrote: > > It might be ok with the security guys if the builds were released as > > official builds from the ASF courtesy of the apachelounge. > > > > I agree for personal development use, apachelounge might be ok. I have > used > > them for local development in the past and was happy with them. > > I strongly disagree. I will repeat it again: They are production ready > and we do support them. The src are the apache's ones and any bugs are > fixed there, not in some random repository. Apache does support vc9 > from a build point of view, vc10 too. They simply don't give a damned > about windows builds. > > > I think many companies will need some sort of industry support (an > > accredited organization like the ASF) behind the binaries. They can't > come > > from some dude's website for web server enthusiasts. That level of risk > is > > not acceptable. > > Again, Apache does not provide any official builds, they don't plan > (as of today stand) to do so nor to move to anything else that what > they have now. > > If security is the matter, then I wonder (reallly hardly wonder) why > in the world do you rely on VC6 builds until now. That's a mistery to > me. > > > I talked to Zend and their PHP 5.3 versions of Zend Server include a VC9 > > compiled Apache, so that may be the direction we go. We are exploring our > > other options as well. Thanks for all the good info! > > They use VC8 for their builds. not vc9. Anyway, if you use Zend > Server, please ask them for support, we don't support their builds. > > > Cheers, > -- > Pierre > > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org >
