Re: How to package programs that make use of a database?
On Fri, 5 Oct 2001, Marcelo E. Magallon wrote:
> >> Steve Langasek <email@example.com> writes:
> > So over here, the answer is that customers who want absolute security
> > need to pay for colocation.
> So, in your opinion, is packaging this kind of applications for Debian
> without paying attention to this problem an acceptable solution? By
> best option until now is not even try to enable the application and
> leave that to the administrator, with some examples in the appropiate
> place. This leaves the administrator with a new database, some tables
> possibly, a script to recreate the schema if necessary, some file where
> a database name (and possibly a user but no password) is stored and
> some files that aren't "used" by anything on the system. Does that
> sound ok?
I think it's ok to not worry about these kinds of problems, because they're
far beyond the scope of the software you're packaging and are general security
issues applying to any webhosting environment. As long as you inform the
admin that the package stores passwords in a file that can be seen by anyone
who (e.g.) has access to run PHP scripts, then I think it's up to the admin to
weigh the risks and make a determination.
Such a package is not a danger to the system or to other packages; the only
risk is to the data stored within that very database.