-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07.04.2011 15:47, Olaf van der Spek wrote: > How does my approach require someone to read the manual?
It doesn't. The fact, the problem exists is because people don't read manuals :) > How is a loaded but unconfigured module a security threat? Well you don't know. Isn't that the reason why vulnerabilities do exist? Note, I don't say it /is/ a threat, I say it /could/ be a threat. Think of unwanted code execution by passing some obscure requests just because the module hooks into the usual processing when enabled. This may, or may not be feasible within the particular Lighttpd implementation, that's not my point, see below. > I'm not assuming it's used by everyone, but I am assuming it's used by > a majority. I say we should not enable a module that it not required to provide core functionality. It is fine to load them if they are fundamentally required. It is the responsibility of you, being a package maintainer to make sure the out of box configuration is inherently safe (and sane), i.e. it does not put up with unwanted (and unneeded) risks. Alternatives would include to extract the FastCGI module (and configuration) from the core package and enable it by a postinst hook when installed. In that case one could assume, the user actually wants FastCGI to be enabled, maybe even with a debconf hook, asking for which script language interpreter the user wants to enable configuration (PHP, Python, Perl, ...) although currently only a PHP ready configuration is shipped and others might be a bit more complicated. - -- with kind regards, Arno Töll GnuPG Key-ID: 0x8408D4C4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNncsfAAoJELBdpXvEXpo98ysP/18PPCcPQyj0dvHSk+DkO1+g JfuYLoDwDpC2Z4ukKwDTItF0xRfCibE1VdV4YCKD04tYgJPssUa9GWycctfaHaJl 9qF4yWO5xdSNxpJ9+xuePIwhM1NyJvY4tNrt57kheaKYzAcN27n+o/yj0LBK7Hw5 tpW+Kdw8AowRcQBUCO/w7ksKCtDNwb1OnebFGPNikeUJs2SDjqpnqoNRTP/0ajOA vpz3HE1ycUTeo7K63Xy5thnTOgVPgcQc/alfqa86LvattCk4IEylTRTkYnqJmvMY fLhEIlov/0lLpF8cxtkzlgOkTegRvE0A+h10Fg9/tCADqOdBHdi6W0PPbtT8D86x k/4Rl3kF/NusPMKBUSK+M9SsNynZ01GH5mRVQbwTeMAf2A8ItTpo29UA41lsZag+ IlYBkiiksa36UYS4vwuMA/Lc7BxkMp7nS/5sZDWCsnti3F0pKJwyxWbDsLDoL2aS 4ED8ewCljaFieA0XvJwyy5SkgtjB2rshEyG1KfLbQdGw4gCAHQnRAQGvuWIVkyY0 RqygeNolQucCX/9AMjJgrb5sVQE4/N5wU6bevKxMUyPVgTVh6QyUCF1mL0fOmGNn Q6YmfOV8jWBHHI2hV+3SMngQnzsMI/z/+oSVrZCgiwneTTKJbYLdeds1/SF6tfHp a1N3bL7Y6KwJDBgmzstt =7sho -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
