[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#715804: Debian policy for web apps still references /doc as accessible



Hello,

I am contacting you because you are listed as maintainer of a package
that provides the httpd virtual package. (grep-aptavail -F Provides httpd)

The Debian Policy currently specifies that /usr/share/doc/“package” is served
on localhost by web servers.  This has been discontinued with apache2 because
it lead to possible risks of executing example scripts that were not intented
for that purpose.  (http://www.debian.org/security/2012/dsa-2452)

We are considering removing the specification about serving /usr/share/doc/“package”
(see below), but before doing so, I would like to know if this is a feature
that is also provided by the web server you maintain.

> 
> diff --git a/policy.sgml b/policy.sgml
> index 1508231..2651a1a 100644
> --- a/policy.sgml
> +++ b/policy.sgml
> @@ -9668,27 +9668,6 @@ http://localhost/cgi-bin/<var>cgi-bin-name</var>
>                 before <var>cgi-bin-name</var>).
>             </item>
>  
> -           <item>
> -             <p>Access to HTML documents</p>
> -
> -             <p>
> -               HTML documents for a package are stored in
> -                <file>/usr/share/doc/<var>package</var></file>
> -               and can be referred to as
> -               <example compact="compact">
> -http://localhost/doc/<var>package</var>/<var>filename</var>
> -               </example>
> -             </p>
> -
> -             <p>
> -                The web server should restrict access to the document
> -                tree so that only clients on the same host can read
> -                the documents. If the web server does not support such
> -                access controls, then it should not provide access at
> -                all, or ask about providing access during installation.
> -             </p>
> -           </item>
> -
>              <item>
>                <p>Access to images</p>
>                <p>

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan


Reply to: