Bug#715804: Debian policy for web apps still references /doc as accessible
user debian-policy@packages.debian.org
usertags 715804 normative discussion
thanks
Le Thu, Jul 11, 2013 at 01:24:45AM +0800, Thomas Goirand a écrit :
> Package: debian-policy
> Severity: important
>
> The Debian policy for web apps still references /doc as accessible
> through the web (see point 3 of chapter 11.5), though it has been removed
> for security reasons. The policy should be updated.
Hi Thomas,
basically, what you propose is the following:
diff --git a/policy.sgml b/policy.sgml
index 1508231..2651a1a 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -9668,27 +9668,6 @@ http://localhost/cgi-bin/<var>cgi-bin-name</var>
before <var>cgi-bin-name</var>).
</item>
- <item>
- <p>Access to HTML documents</p>
-
- <p>
- HTML documents for a package are stored in
- <file>/usr/share/doc/<var>package</var></file>
- and can be referred to as
- <example compact="compact">
-http://localhost/doc/<var>package</var>/<var>filename</var>
- </example>
- </p>
-
- <p>
- The web server should restrict access to the document
- tree so that only clients on the same host can read
- the documents. If the web server does not support such
- access controls, then it should not provide access at
- all, or ask about providing access during installation.
- </p>
- </item>
-
<item>
<p>Access to images</p>
<p>
I note that /doc was only to be served locally. How did that cause security
issues ?
Anyway, if the webservers that we distribute have dropped that functionality
(can you confirm that it is not just apache2 ?), then I also support adjusting
the Policy accordingly.
Have a nice day,
--
Charles Plessy
Tsurumi, Kanagawa, Japan
Reply to: