Bug#715804: Debian policy for web apps still references /doc as accessible

[Russ Allbery <rra@debian.org>]

Thomas Goirand <zigo@debian.org> writes:

> I agree with the removal, though I would also add a quick note saying
> that we *used* to have access to /doc with web servers on localhost, but
> it was removed, with a link to
> http://www.debian.org/security/2012/dsa-2452. Something like:

I don't think that's a good idea.  There's a *lot* of history in Debian.
We don't want to document all of it in Policy or that will dominate the
document.

And, in particular, we can't say this...

> <p>
> HTML documents must not refer anymore to documents using <example
> compact="compact">http://localhost/doc/<var>package</var>/<var>filename</var></example>
> since this functionality was removed due to security problems (see:
> http://www.debian.org/security/2012/dsa-2452). Moreover, web servers
> must not provide direct access to /usr/share/doc anymore, even from
> localhost only.
> </p>

...because, phrased that way, it requires that web servers somehow detect
/usr/share/doc and block it from being served regardless of the
configuration of the server, which is rather more than I thin we would
want to say.  Also, the first sentence is redundant with other
requirements already in Policy that prohibit any package from relying on
the presence of any file in /usr/share/doc.

I suppose we could say something in Policy along the lines that web
servers should come configured to serve /usr/share/doc by default, even to
localhost, but I'm not sure how useful that is -- are there are a lot of
web servers in Debian that still do so and that need to be notified of
this?

If this is a transition that's already complete, I'm not sure it's worth
saying anything here.  It doesn't strike me as the sort of idea that's so
obvious that people are likely to spontaneously add it back unless we
explicitly prohibit it.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>