[Mongrel] http parser

Zed Shaw zedshaw at zedshaw.com
Sun Aug 20 18:32:11 EDT 2006

On Sun, 2006-08-20 at 17:04 -0400, Francis Cianfrocca wrote:
> On 8/20/06, Zed Shaw <zedshaw at zedshaw.com> wrote:

While a public forum might not be the place to air my thoughts, since
you replied here, I'll comment here.  Feel free to contact me off list
so we can possibly patch this up.

Let's skip all the technical stuff for now, and focus on this one area:

> >>>For whatever reason I've always thought those guys were a
> little on the shady side.  Not sure why, they just seem desperate for
> cash or something.<<<
> This borders on libel. I challenge you to produce the evidence on the
> basis of which you make these statements. I've been a senior
> technology executive and investor for quite a long time. I don't
> contribute to open-source projects in order to make a living. Are you
> willing to make the same statement in regard to yourself?
> >>>but in the end adding even more compiled code that I'd
> have to distribute that's then tied to a group of developers who're
> obviously trying to make bank off my work isn't going to go over well.<<<
> To my knowledge, no one in my group is trying to induce you to add
> anything, compiled or otherwise, to your code base. Your statement
> sounds like more than just protesting too much: it sounds insecure. I
> can't speak for your motivations, but the rest of us just want to work
> with the best possible technology, and investigate new ideas to see if
> they lead to interesting places.

You know what man, you're right, that was uncalled for.  You aren't
shady (no irony here, I'm seriously apologizing).

But, let's go over what behaviors you're doing that make me think you're
not completely honest in your intentions.  Then you can explain them to
me and we can come to an understanding.

First off, if we're going to throw out legal challenges then lets
compare project names.  You have a very nasty habit of picking project
names that are very similar to names of already established or more
famous projects.  Let's compare:

* Ruby/EventMachine -- http://rubyforge.org/projects/eventmachine/
* Ruby/Event -- http://www.zedshaw.com/projects/ruby_event/

* monorail -- http://rubyforge.org/projects/monorail/
* monorail -- http://www.castleproject.org/index.php/MonoRail
* Which is really similar to "mongrel rails", but let's just say that
wasn't your intention.

Then, you also have a habit of creating these to be similar to existing
ones, pimping them in what seems like an attempt to wipe out the
existing projects:

"Monorail is the lightweight, fast, scalable and SECURE alternative to
Ajax-application frameworks. Its native-HTTP server incorporates SSL and
auth/az services natively. Page development is Rails-like but simpler."

It looks like you're capitalizing on Rails fame and Mongrel fame at the
same time, then telling people that your framework is more SECURE.  Yet,
you have this in your monorail:http.cpp file:

// This processing depends on the fact that the end
// of the data buffer we receive will have a null terminator
// just after the last byte indicated by the length parameter.

Anyone worth his SECURE salt knows that using \0 buffer termination is
*not* secure.

Not to mention this gem of a buffer overflow:

  else if (!strncasecmp (header, "cookie:", 7)) {
    const char *s = header + 7;
    while (*s && ((*s==' ') || (*s=='\t')))
    setenv ("HTTP_COOKIE", s, true);

(HINT: A while loop that waits for a \0 terminator is always wrong.)

Finally, in every communication I've had with you, you've never
contributed anything to Mongrel or any of my work.  You've been very
adamant about me using *your* work, and me *doing the work* to use your
stuff, but you've never contributed.  Mr. snacktime has done more to get
Mongrel working with EventMachine than you have.

In fact, I've contributed more to your software than you have to mine:


Which means, in my *opinion* you take and do not give.  In fact, I wrote


Partially in response to your behavior.  If you remember you e-mailed me
repeatedly asking me to use your Ruby/EventMachine to power Mongrel,
despite my concerns about your licensing, copyright and motivations
(which I told you then).

In summary, the fact that you:

 * Create competitive projects that are closely named to mine.
 * Make false security claims about your work.
 * Imply that your work is more secure than mine (yet without a security
testing policy, unlike Mongrel).
 * Use my advice and work to further your own means without contributing
back in kind.
 * AND accuse me of libel (which only a profit motivated "open source"
person would do).

All point to why I don't much appreciate your behavior and don't think
highly of your true motivations.

Now, I don't know you personally, you may be a great guy for all I know.
But I am basing my *opinion* of your business practices on the above

If there's a misunderstanding in how you behave and act toward me then
feel free to talk to me about it off list.  Until then, I'd appreciate
it if you'd stop naming your projects after mine, stop pimping your
projects on *my* mailing list, and stop accusing me of libel when I have
supporting evidence of my opinion.  You're free to compete with Mongrel,
but don't use my project to further your gains.

Thanks for your time.

Zed A. Shaw
http://www.railsmachine.com/ -- Need Mongrel support?

More information about the Mongrel-users mailing list