Christopher Schultz wrote: > Markus Schönhaber wrote: > > You defend it yourself in the next paragraph you've written. > > > >> One could argue that more moving parts equals more complexity, and that > >> complexity is an enemy of security (and I agree). However, there must be > >> a balance. If good security requires layers, and each layer adds more > >> complexity, then there is a paradox. > > > > Exactly. > > I believe I raised a question, rather than defending a point.
Hm. In this case, I obviously missed your point - and I didn't understand your question either. > I'm > suggesting that things are more complicated than the sound bites that > some people like to drop. > > I would appreciate my FUD to come with a side order of empirical > evidence. For instance, if Leon had said "I've had bad security > experiences with Apache httpd", well, then at least he would have > actually been making a statement. OK, we can agree on that. I also consider absolute statements like "Don't install httpd! It will always breach the system's security!" as useless as statements like "You know nothing about httpd? Pah! Just go ahead and install it. There's absolutely nothing to worry about." > I would just urge posters to the list to post something more than > "product X sucks" or "". I hate having wasted my time to read a message > that does not move the dialog forward (not that I'm saying that Leon's > message was a waste of time). Let's all endeavor to provide proper > context and be precise in what message we are trying to communicate. Agreed. > Leon's message says flat out that adding Apache httpd reduces security, > and provides no basis for that statement. A more appropriate statement > might have been that Apache does not add any appreciable measure of > security as Tomcat provides the same kinds of protections against > unauthorized access, etc. True. Nevertheless, Leon has elaborated what he meant to say in his answer to your post (the one I'm also replying to atm). And the opinion he expresses there is quite similar to mine. To repeat once again: I'm not bashing httpd, Tomcat, IIS or whatever. I'm simply saying: if there is a good reason to install a particular piece of software, go ahead, install it *and* take care of it. If you don't see this good reason, don't install it. And I consider installing httpd *only* to make Tomcat accessible via port 80 not a good reason. I consider this plain dumb. Regards mks --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
