In or out? [part 1]
Apache’s modular architecture works well for third-party developers, who can create and maintain their work independently if they prefer not to participate directly in the developer community. There are some great and popular third-party modules out there.
From the end-users perspective, things may look different: there may be no obvious reason why module A is part of the core distribution while module B is a third-party addon. In a corporate situation it can present a problem, where Apache itself is approved but a third-party developer is not considered trustworthy, or requires additional hassle and paperwork.
There are modules providing core functionality that are necessarily included. And there are big kitchen-sink modules that should clearly remain independent: obvious examples are scripting modules like Perl, PHP and Python. But between these are a range of modules that could be either in or out.
Take mod_rewrite. That’s big, complex, and popular. It’s included in the core distribution, but it’s not really core functionality. If it had been written new in 2005 rather than 1995, it might easily have remained a third-party module.
Or take ldap support. That’s suitable for inclusion because its developers are active members of the dev community and are happy to maintain it that way. But it could equally be a third-party addon.
But similarly, there are quite a few third-party modules that, from a functionality POV, could be core. If LDAP authnz, then why not radius or kerberos?
A few widely-used third-party modules that spring to mind:
- Configuration with mod_macro
- A whole slew of bandwidth-management and DOS protection modules
- Application firewall with mod_security
- Fast CGI with mod_fastcgi or mod_fcgid
- Filtering with mod_proxy_html, mod_line_edit, etc
- XML processing with mod_xslt, mod_transform, etc
- Perchild-like MPMs
Now, how is the besuited manager, or even his nonspecialist IT dogsbody, to evaluate the quality and trustworthiness of each of these external sources? The module index is a plain directory and plays no role in vetting or QA. You can try to evaluate whether the third-party developer is sufficiently trustworthy in its own right. Google can tell you that a module is widely used and respected by experts in the field. All of which is more effort, with no guarantee of a satisfactory outcome.
To be continued at a future Round Tuit, but hopefully while a couple of recent/current events are still topical!