[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jessie release goals

On Tue, May 7, 2013 02:55, Christoph Anton Mitterer wrote:
> On Mon, 2013-05-06 at 14:59 -0600, Bob Proulx wrote:
>> > 1) We should try to educate users not to use mod_php.
>> If "Best Practices" such as this were documented such as on the Debian
>> wiki then it would go a long way to making this easy for users to do.
>> They could then simple follow recipies to good practices.
> Well but right now many packages rather assume that one uses mod_php...
> I run several PHP programs on our faculty (e.g. icinga-classic,
> icinga-web, pnp)... all of them with CGI each of them running with it's
> own user and thereby also doing the DB authentication...
> Setting this up was really time consuming as it required lots of trying,
> especially when also "hardening" php.ini per each of these programs (and
> therefore most end users simply won't to it)... in an ideal world...
> such things would be better supported.

We're running many different packaged PHP applications withoud mod_php but
via mod_fgid + php5-cgi. In every case we didn't encounter any point where
the packaging made assumptions about running on mod_php. So if you know of
such packages, just file a bug there - it's not a pervasive problem as far
as my experience goes.

Debian packages do assume that they're running as www-data, but this is
not related to whether you use mod_php and is codified in Debian Policy.

As for hardening the shipped php.ini - I suggest that you file a bug
against php5 with suggested changes and we can discuss the pros and cons
of each for jessie.

All in all I don't see any Release Goal material yet, here.


Reply to: