Bug#23661: Bug #23661:
This note is being sent as part of a project to clean out old (> 1yr)
debian-policy proposals. If you disagree with action below please
respond to firstname.lastname@example.org, not to me, so that the discussion may
be carried out publically in debian-policy. Feel free to re-open the
bug while it's being discussed -- I'm not trying to force any
particular disposition, just taking my best shot at resolving dead
Bug#23661: usr/doc should not be accessible through http servers by default
Summary: suggests that http://hostname/doc/ not be available by
default, except to localhost clients. "security through obscurity"
argument raised, but consensus seemed to be that making ones entired
installed program list, including version, available to the internet
was perhaps pushing it a bit far. It was noted that later releases of
Apache and Boa restricted access, but that doesn't solve the problem
generally.It then went on to the "Well, there's a whole bunch of
services that shouldn't be available by default". Raul Miller seems to
have started examining a way to deal with this, but there's no further
note in the BTS after 22 Jun 2000.
Discussion: Policy currently says "HTML documents...can be referred to
as http://localhost/doc/package/filename". This could be sufficient to
imply that access should, by default, be restricted to localhost, but
a guiding comment or footnote should probably be added. One question
is what to do about httpds that don't support access controls.
Action: I've submitted a new proposal that addresses only the httpd
issue that refers to this one.