Re: BOA was: An issue with Apache on Debian
On Wed, Apr 14, 1999 at 07:59:23PM +0200, Martin Stjernholm wrote:
> It's true that it doesn't say that a server package has to give access
> to anyone else than localhost. However, when packaging a server that
> doesn't have such filter features, the maintainer must either give
> access to everyone or leave it out altogether. Afaics, the policy
> forces the first alternative in that situation.
> Also, restricting to localhost doesn't solve the problem entirely as
> someone pointed out; if you e.g. happen to run a http proxy on the
> computer it'd still be accessible for others.
Yes, you are quite right. Policy probably ought to be changed. My point
was that web server packagers don't have to wait for that to protect
against hostile users.
> (Besides the security issues here, I find this policy a bit bothersome
> since it stipulates content in a service that I think the Debian user
> should have full control over. Whether a user want to access /usr/doc
> with a web browser shouldn't have anything to do with whether (s)he
> want to run a www server and what content it should provide in that
> case. A documentation server might be a good idea, but it should be a
> separate package, running with appropriate restrictions on its own
> port. Sure, it'd be neat if it could use the http daemon in case the
> user has installed any, but that ought to be a secondary goal.)
I am not sure what is not wrong with making packages use
<URL:file:///usr/doc/>. I couldn't find anything in the policy document
or on the debian-policy archives.
If you put it on a web server a package with docs could also easily
provide cgi-bin things to search with (like dhelp comes with
/usr/lib/cgi-bin/dsearch), but that seems like a rather marginal
benefit.
Galen
(Please Cc replies to me. I am not on debian-policy.)
Reply to: