On Sun, 19 Aug 2012, Marco d'Itri wrote: > On Aug 19, Charles Plessy <ple...@debian.org> wrote: > > - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 > > or > > php5-cgi. Debian recommends libapache2-mod-php5, but there are still > This is another issue which concerns me, since mod_php forces the use of > preforking apache, which means that the server will either stop serving > pages or OOM at the first hint of real traffic. > (And obviously mod_php is wildly insecure for multitenants servers.)
You need php-cgi with something like fcgid to have it properly isolate several web applications and still be somewhat scalable. mod-php is just a toy in its current state, good enough to run stuff at home as long as it is restricted to localhost... > > thousands of installations wich report the use of php5-cgi according to > > the > > Popularity Contest statistics. > Yes, because sensible people who need PHP will try to use it as > CGI/FastCGI (or FPM, finally in wheezy). Indeed. > I am also concerned that a *simple* solution to restore the old > behaviour in a secure way is not provided: maybe php5-cgi should install > a sensible default configuration in /etc/apache2/conf.d/ ? That, and leave mime.types alone. If the problem is caused by mod-php under apache, any "simple solution" should be biased towards breaking mod-php under apache, not everything else. A good solution would not break anything. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120820004115.gc8...@khazad-dum.debian.net
