Bug#150607: document best practices for web apps

Tue, 05 May 2026 12:35:15 -0700 

On Tue May 5, 2026 at 12:07 PM CEST, Holger Levsen wrote:
> On Mon, May 04, 2026 at 10:16:27PM +0200, Serafeim (Serafi) Zanikolas wrote:
>> please find attached a patch. there might be better packages to mention as
>> examples, no idea.
>  
> maybe also say something about opening ports on localhost only? (or not?)

agree, revised patch attached. took the opportunity to also
s/hugo/dfsg-new-queue/ (hugo is only a static site generator and dfsg-new-queue
is a great example)

thanks,
serafi

From 114ad6bf947b1c0137c3d0294d89a3298d2fee94 Mon Sep 17 00:00:00 2001
From: "Serafeim (Serafi) Zanikolas" <[email protected]>
Date: Mon, 4 May 2026 22:10:35 +0200
Subject: [PATCH] best-pkging-practices: add high level guidance for daemons
 and web apps. Closes: #150607.

---
 source/best-pkging-practices.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/source/best-pkging-practices.rst b/source/best-pkging-practices.rst
index a4b11ff..3d1fd75 100644
--- a/source/best-pkging-practices.rst
+++ b/source/best-pkging-practices.rst
@@ -1349,6 +1349,23 @@ corresponding packaging rules and practices:
 -  Rust packaging is described in the `Debian Rust Team Book
    <https://rust-team.pages.debian.net/book/>`__;.
 
+-  Packages providing services ("daemons") should be functional on a fresh
+   install, to the extent that that is possible without compromising security
+   (e.g. a web server should by default be up and running and serve a dummy
+   page, but must otherwise not allow unauthenticated sensitive operations;
+   consider whether to serve only on the localhost network interface, by
+   default).
+
+-  Web application packages should aim to have their dependencies (including
+   javascript) packaged separately, and should carry out whatever setup is
+   necessary for basic and secure functionality out of the box (e.g. create a
+   database, ship configs with reasonable defaults, install files in appropriate
+   location with appropriate permissions, etc). For examples, look at how
+   existing web applications are packaged, e.g. dfsg-new-queue for Go, gitlab
+   for ruby on rails, node-shiny-server for NPM. diaspora-installer is a dummy
+   package which downloads diaspora (also pulling in runtime dependencies as
+   rubygems) and configures it to use PostgreSQL and Nginx.
+
 .. _bpp-archindepdata:
 
 Architecture-independent data
-- 
2.47.3

Attachment: signature.asc
Description: PGP signature

Reply via email to