Hi, even more so a discussion on debian-devel [1] came to the conclusion that /var/www as a document root is security-wise a bad default for web servers. Therefore, we, Apache maintainers, decided to change the default document root to /var/www/html (#730372). This might be seen as a policy violation as of §11.5, but we do not violate the FHS as this directory does not exist there. I'm not sure about the state of the FHS when this bug was filed, but to date /srv exists per FHS as a place to put organization-local files, e.g. document roots which is a replacement to /var/www _to users_. We, as a maintainer cannot use /srv straight though to avoid information leaks. Moreover, we must neither assume any organization-local directory structure below /srv. Please clarify this ambiguity in the policy. [1] https://lists.debian.org/debian-devel/2012/04/msg00301.html -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D
Attachment:
signature.asc
Description: OpenPGP digital signature