[Mongrel] http parser

Francis Cianfrocca garbagecat10 at gmail.com
Sun Aug 20 19:49:30 EDT 2006


On 8/20/06, Zed Shaw <zedshaw at zedshaw.com> wrote:
>
>  First off, if we're going to throw out legal challenges then lets
> compare project names.  You have a very nasty habit of picking project
> names that are very similar to names of already established or more
> famous projects.  Let's compare:
>
> * Ruby/EventMachine -- http://rubyforge.org/projects/eventmachine/
> * Ruby/Event -- http://www.zedshaw.com/projects/ruby_event/


I picked the name for EventMachine before I was aware of yours. I used the
word "Ruby" in my title because EM doesn't work only with Ruby, and that was
intended to indicate a version that had Ruby bindings. As far as "Event" is
concerned, there are plenty of projects with that word in their titles
(libevent for one), that have primacy over yours. But no one is trying to
make money off this, so where's the issue?


* monorail -- http://rubyforge.org/projects/monorail/
> * monorail -- http://www.castleproject.org/index.php/MonoRail
> * Which is really similar to "mongrel rails", but let's just say that
> wasn't your intention.


"Monorail" was picked out of the air by a guy who works for me as we were
thinking about a lighter-weight version of Rails. You've evidently
researched this project, which is gratifying, but it's not a released
project, and anyway has evolved a great deal. It's no longer a lighter
Rails, but something else entirely, and not competitive to Rails. As far as
competing against Mongrel in this connection, I have to smile at your
self-importance, but Mongrel wasn't even on our radar. In regard to the
Castle guys, we became aware a couple of weeks ago that they were using
"Monorail," and we're still looking into whether we have priority over the
name (our first pub was last April, and theirs is a recent name change). If
it turns out theirs was published before ours, we'll change ours.


Then, you also have a habit of creating these to be similar to existing
> ones, pimping them in what seems like an attempt to wipe out the
> existing projects:

I create a lot of projects, Zed, and I (and the guys who work for me) make
up a lot of code names. They can't all be unique gems, especially not for
the open source ones where the point isn't to make any money. I spend a lot
of time (and money) coming up with well-researched names for my commercial
projects. And if you think I have it in mind to wipe out Rails, all I can
say is that I have far more realistic goals in life, nor do I think Rails,
which benefits a lot of people, deserves to be wiped out. But if you think I
have in mind to wipe out Mongrel, then I have to laugh and ask you why
you're afraid of me!




>
> // This processing depends on the fact that the end
> // of the data buffer we receive will have a null terminator
> // just after the last byte indicated by the length parameter.
>
> Anyone worth his SECURE salt knows that using \0 buffer termination is
> *not* secure.

In the first place, Zed, this comment is in code that is NOT in the
EventMachine, but in a project based on it. Note the code in EM that creates
the buffers that are passed to the code path where the comment you quoted
appears. There is specific language in there specifying a guaranteed
behavior that all buffers generated by EM for passing to user code will have
an extra appended null terminator.


> Not to mention this gem of a buffer overflow:
>
>   else if (!strncasecmp (header, "cookie:", 7)) {
>     const char *s = header + 7;
>     while (*s && ((*s==' ') || (*s=='\t')))
>       s++;
>     setenv ("HTTP_COOKIE", s, true);
>   }
>
> (HINT: A while loop that waits for a \0 terminator is always wrong.)


You're reaching, Zed, and it's not impressing me. That while loop stops when
it finds a character that isn't blank or tab. Obviously it's also going to
stop if it hits the end of the string. It would be far less safe (not to
mention wrong) if it didn't. Also notice the (only) call to this (private)
method that contains this code path. The line immediately preceding it
ensures the null terminator is present.


On contributing to your work: you have it pretty well under control, so what
help do you need from me? I wrote to you back in April or May to ask if you
had an interest in it, and you made it quite clear that you didn't. So I
didn't bother to ask the question again. That's no problem for you or for
me. But if you think I was "adamant" about you using my work, all I can say
to that is that I'm an experienced technology salesman, and I try to
convince people by being persuasive, not adamant. Again, you made it clear
you weren't interested, so that's the end of that story.

As far as you contributing to my work, you pointed out that you had had a
problem with your Event library that I hadn't tested for. You also said you
hadn't been able to solve it. I solved it, then solved it again in a better
way. I acknowledged you for pointing out the problem, which I do with
everyone who helps me out, but your point here would be a lot more
compelling if you had actually contributed a solution. But again, this is
open-source freeware, Zed. We're all supposed to be helping each other, and
no one is trying to take food out of anyone's mouth. None of us are involved
in this for money. You really need to lighten up.


* Imply that your work is more secure than mine (yet without a security
> testing policy, unlike Mongrel).
>
* Use my advice and work to further your own means without contributing
> back in kind.


You're really giving the game up here, Zed. I've never so much as mentioned
Mongrel in any public communication that I'm aware of, much less implied
that an unpublished product in a totally different space is more secure than
yours. This isn't personal, Zed. The fact that you're making it personal
really makes me wonder about you.

* AND accuse me of libel (which only a profit motivated "open source"
> person would do).

I said your statements "border on libel." You stated that my friends and I
are somewhat shady in your opinion, and perhaps desperate for cash. Libel is
a written statement of disparaging character that is not substantiated by
facts, and you haven't provided any. I don't let ANYONE mess with me the way
you did.



> it if you'd stop naming your projects after mine, stop pimping your
> projects on *my* mailing list,

I'll name my projects however I wish, but I already do make a practice of
not knowingly infringing on other people's marks. I've paid enough money to
trademark lawyers over the years to know where the lines are. I have never
ONCE written a single thing on your mailing list until this afternoon, and
that was in answer to your unwarranted and borderline-libelous comments
about me, not to "pimp" anything. Once again, you need to lighten up.

 You're free to compete with Mongrel,
> but don't use my project to further your gains.


If I had any interest in competing against Mongrel, believe me, you'd know
it. If you think I am getting "gains" from giving away open-source freeware,
then you flatter me unduly. If you think I'm stealing from you, you're
flattering yourself unduly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/mongrel-users/attachments/20060820/d97c718f/attachment.html 


More information about the Mongrel-users mailing list