-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07.04.2011 16:41, Olaf van der Spek wrote: > I'm not sure the manual says anything about this one.
Sure it does, if we consider upstream's Wiki as manual at least: >> Note >> This means you need to include the line >> server.modules += ( "mod_fastcgi" ) >> ... >> in your lighttpd.conf file. Without this, you'll get the error >> >> WARNING: unknown config-key: fastcgi.server (ignored) >> >> when trying to use lighttpd with fastcgi and, for example, php. See http://redmine.lighttpd.net/wiki/lighttpd/Docs%3AModFastCGI. Straight on top :) > No. > It does increase the amount of code that's executed, but (IMO) not in > a significant way. FastCGI is not some obscure module. > If loading the module does affect safety in a significant way one > should probably avoid the entire webserver. Safety is the minimization of unwanted risks. This is, how an engineer defines safety. For security this reads: avoid unneeded threats whenever you can. The code you don't execute can't lead to a vulnerability. Especially if you execute it unnecessarily. It's as simple as that. > Ideally the module would unload itself when not configured. I'm unsure if a module should apply this kind of heuristics since I tend to state "software should not start to think on behalf of the administrator being too lazy to configure things". > I agree about those goals, so the question is: what is core functionality? Bear in mind we discuss about a web server, that is essential core functionality is well defined by HTTP 1.1 [http://tools.ietf.org/html/rfc2616]. That means: Everything needed to run a fully compliant HTTP 1.1 web server is enough for the functionality /everyone/ expects when installing lighttpd. For lighttpd this requires the core components only, that can't be loaded (or unloaded). Now let's take a look in the trunk's lighttpd.conf: >>server.modules = ( >> "mod_access", >> "mod_alias", >> "mod_compress", >> "mod_redirect", >># "mod_rewrite", >>) As we are packaging for Debian we need to be conform to Debian's Policy Manual § 11.5 [http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl]. Following that we require an alias for /cgi-bin, /doc and /images, hence mod_alias is required (what happened to the DPM compatible configuration by the way, the current configuration looks like as if it would violate the DPM?) mod_access provides url.access-deny which is a good idea too, although this probably should include .htaccess as well, since a lot of people leave those files in their doc roots as well, even if they are useless for Lighttpd. mod_compress might be technically a good idea, but it is not required for core functionality. I would suggest not to remove it completely, but to comment it out and leave it as hint to the user. mod_redirect is not used at all in its default configuration currently. Note I also dislike to split up configuration into dozens of files, so I would suggest not to remove some basic configuration quirks, but to leave the administrator the choice whether he wants to activate a certain option (set) or ship alternative configuration files. (Note I also asked to join the pkg-lighttpd team earlier today through Alioth, since we are getting off topic here) - -- with kind regards, Arno Töll GnuPG Key-ID: 0x8408D4C4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNndcbAAoJELBdpXvEXpo9oLoP/1Wgh2a0ClnkPqR3WCZAf+Xo x0yMGSvuSocTgGUpzMUkbRp0u3xqAUMczITNWcSagNt0GIhcQqeb+5gqkGLfqoOF Iai5tQ9aSByPBON7WyobqVzsK/bWfHuFW3KYxcUjHQWKk+H1pSyaiZpChyimD+FG I52p9ZriqQWIrJ4pAigeKK0dCXKmr7Cx12jQHh+IfCRRHMLvYN9iGr8O9vXExoby 8Dm5qfCL0GJU2GH1lduwDSz9NvYE81AZe+rDqeda/pIjlJQKUDxNZMEbOqjs3JcP 5TTfscs3+aUdtDR3TCcJ9+nBt/Ltd9Z6nCgokXTF7i2y8Y/WzJ5NCInSH3YVaIlC 3sMVpcYhy5ZsOAJvEawrSDhtXfN2nplnk4T76o0wSfA2hQPIHYvXnN9225aDXehS YrNcOfPP/G8gzya0+P/qR9vpdpj04Y1bZhJ2ZgmyrVO4hjV0Mawu2rcb2W1zmZuh zOEO4K+FJHBI1fksfF+kqQdpjPpi4xo94ro+458DhVjKT0xYq+kEuyi9PBl1mFAU hIvGa1N66UAFgvzguFmAhH/AYA9pEQCj2fBLIPaZ+WrPj25k7ei+m7u3H4ZmHk0P cTShskvsbrpylgZa/x8YW1/iZG5eJlAxgn3TK6N18/VO/3Jb1xqaTvATREcuogVz ch7cyyekHDZNxoOQQn6p =TVG6 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
