On Mon, Nov 09, 2009 at 03:55:58PM -0800, Russ Allbery wrote: > sean finney <seanius@debian.org> writes: > > > something that hasn't really been brought up (i mentioned it on the > > non-webapps thread in -devel already) is that this makes packages > > potentially opened in an unconfigured state. unless you can ensure that > > the system is only running on localhost, it has some significant > > security implications. personally i'd rather that /usr/lib/cgi-bin goes > > the way of the dodo, and that packages are required to ship/generate > > webserver config files if they want to function out of the box. > > Wholeheartedly agreed, particularly if we can put a management system in > place similar to the (really nice) Apache module management system that > lets admins selectively enable specific applications, which installing > everything into a default CGI-active directory doesn't permit as easily. Not that I'm opposing to what you're saying but... every application in the archive is configured during the installation process, possibly asking debconf questions, providing defaults etc. After the installation it should run in a mode that suites most use cases and is secure. We (or at least I) always expected that. Now with web applications, if I read you suggestions correctly, you want to just throw the files in the system, leave it unconfigured without meaningfull defaults, even leading to an unsecure state, and then blame the web server for not securing the application? Or am I misunderstanding you? Hauke
Attachment:
signature.asc
Description: Digital signature