[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jessie release goals


I would like to see the following with respect to PHP and all packages
using PHP:
1) We should try to educate users not to use mod_php. From a security
POV it's rather problematic, as it runs in server context. And for
people really needing the performance, FPM should be an equally good
There are other issues with mod_php, like not being able to use all

2) Because of (1) other packages should no longer assume mod_php is in
place... they should provide support for all the SAPIs (as far as this
is possible).

3) Especially packages should no longer automatically set things up for
IMHO it's (security wise) generally a bad idea to have such stuff
enabled out of the box by just installing a package.
A solution could be, that packages use debconf, and allow the user to
either set up nothing automagically,... or let the user choose between a
SAPI / webserver combination.
This would also allow packages, to provide out of the box support for
privilege separation, which could then in turn be used to do e.g. clean
and secure authentication against local databases (wich are often used
in that context).

4) One might further try to harden the default php.ini much more... and
debian packages using PHP could ship their additions, which then allow
things that are required.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: