Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

From a cursory glimpse, it seems Apple only pathes CVEs in OSS components when the OS itself gets an upgrade.

The next time there is a problem in Apache, the chances seem pretty high it will remain unpatched on macOS for weeks, if not months.



Apple sometimes distributes separate security updates, depending on the severity of the issue.


Why does macOS ship with Apache ?


Before Mountain Lion, a personal web server was available under System Preferences > Sharing > Web Sharing.

They removed the UI to enable it in Mountain Lion, but the functionality is still built in and can be enabled if you install Apple's MacOS Server app from the app store. Or you can just enable it from the command line.


It was a really nice idea. I wonder how often it got used. I think it was a conceptual relic of the [Jeff Goldblum era](https://www.youtube.com/watch?v=dQmK1CnwOUI) of iMacs with instant Internet and personal webpages.


The "Jeff Goldblum" era is still alive, just not in the minds of people trying to sell cloud-based alternatives


When people say "alive" in casual conversation, they mean alive for larger amounts of people than statistical noise...


I suppose that could be an insult, if you were actually right


No, personal web pages have been replaced with Facebook accounts. Nobody wants or needs a website to show off photos and videos and personal updates anymore.


They do if they don’t want their photos of their kids plastered with ads for fart apps and other unsavory garbage, though...


But nobody in the target audience will visit it, because it's some random website and not a Facebook page. So what good is a website that's never visited?


heh, remember when you could actually host your own website from your home connection on port 80? Dynamic DNS services, etc... ISPs put a quick end to that, though :(


Not really. I still host a number of sites on my home linux box.


Nowadays you need PAAS cloud hosting with Kubernetes on at least 3 servers, monitoring SAAS, log storage SAAS, CI for js transpilers, CDN for assets, Cloudflare, SSL certificate, checklist for PWA compliance, UX guidelines, AMP, OpenGraph metadata. Because best practices!


I... still do?

This is more about ISPs where you live than anything else. Most people don't want the hassle.


Yeah, guess it varies, but a lot of ISPs block incoming port 80 connections. Common enough that noip.com has a "port redirection" feature, interestingly enough: http://www.noip.com/support/knowledgebase/my-isp-blocks-port...


It used to be the basis for personal web pages, and deployable to via iWeb, the “easy” web authoring tool that baked text into images...

Also, the server variants ran most services (calendars, etc.) behind it.

Edit: premature posting.


I assume it's so that I can run Bugzilla on my laptop.


Right, I feel like anyone who would need apache on MacOS would know how to install it...


AFAIK macOS built in Apache is not started by default, so it is not a security risk anyway


That's a strange way to look at things. You could argue the computer doesn't come started by default so it's not a security risk... If there's an option to start it, it's a risk.


Yeah, they should sell those Macs without a start button. That should keep them secure :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: