Re: apache-demo and mod_auth_msql.c

[Randy Terbush <ra...@zyzzyva.com>]

> > Brian Behlendorf liltingly intones:
> > > 
> > > I have a question for the group.  This module is mostly the work of Dirk,
> > > with comments from Vivek and of course input from the rest of us.  But to
> > > be honest, most of us do not have the capability to test this ourselves,
> > > since most of us don't have MSQL running ourselves.  I think I remember
> > > Randy and Chuck mentioning they were using this, but I could be wrong. 
> > > So, in that situation, where the usual 3 +1 votes are needed to commit
> > > large changes, and our usual policy of only putting stuff in the
> > > distribution which we are willing to risk CERT warnings over, are we
> > > comfortable with the situation of a module with one developer and a small
> > > userbase?  In this situation I am, based upon personal knowlege of Dirk
> > > and his technical capabilities, but for just to keep everyone on the same
> > > page I ask if this is an okay situation. 
> > > 
> > Clarification: I'm not using this, so I'm a +0 here. That also means I'm
> > not against mod_auth_msql, and am willing to risk having to take 3-5% of
> > the heat from a possible CERT advisory, given your endorsement of Dirk.
> 
> Given that all these modules are potential security holes, I still am surprized
> to see *all* of them (apart from mod_auth.c) anywhere near the core releases.
> 
> How about having a separate directory with the access modules ?
> 
> Dw.

I agree. 1.2?