Jan Hauke Rahm <j...@debian.org> writes: > On Mon, Nov 09, 2009 at 03:55:58PM -0800, Russ Allbery wrote: >> sean finney <sean...@debian.org> writes:
>>> something that hasn't really been brought up (i mentioned it on the >>> non-webapps thread in -devel already) is that this makes packages >>> potentially opened in an unconfigured state. unless you can ensure >>> that the system is only running on localhost, it has some significant >>> security implications. personally i'd rather that /usr/lib/cgi-bin >>> goes the way of the dodo, and that packages are required to >>> ship/generate webserver config files if they want to function out of >>> the box. >> Wholeheartedly agreed, particularly if we can put a management system >> in place similar to the (really nice) Apache module management system >> that lets admins selectively enable specific applications, which >> installing everything into a default CGI-active directory doesn't >> permit as easily. > Not that I'm opposing to what you're saying but... every application in > the archive is configured during the installation process, possibly > asking debconf questions, providing defaults etc. After the installation > it should run in a mode that suites most use cases and is secure. We (or > at least I) always expected that. > Now with web applications, if I read you suggestions correctly, you want > to just throw the files in the system, leave it unconfigured without > meaningfull defaults, even leading to an unsecure state, and then blame > the web server for not securing the application? > Or am I misunderstanding you? No, as Sean says, I would enable the /vendor path and all applications by default. What I want is a management system wherein one can selectively enable or disable applications and where one can change (as a system-wide default) the default installation behavior of new applications to leave them unconfigured. That way, on my servers I can say to not configure applications by default and have control over what I enable and how, but those who want installed applications to just work can use the defaults and have them be enabled automatically. I think that would mean everyone would get what they want. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
