[php-maint] Bug#447764: Bug#447764: Bug#447764: libapache2-mod-php5: updated debdiff
sean finney
seanius at debian.org
Thu Jan 10 04:36:46 UTC 2008
hey steve,
On Tuesday 08 January 2008 10:29:29 am Steve Langasek wrote:
> Hmm, 54 packages in lenny still disagree with you. :) I'll admit I wasn't
> happy with the idea of putting it in /var/www, but AFAIK if there's a new
> "best practice" that should supersede this, it isn't published very widely?
ehem:
http://webapps-common.alioth.debian.org/draft/html/ch-issues.html#s-issues-fhs
which is, btw, linked from the developers' corner :)
> > - i'm not sure if this is something we want enabled or at least globally
> > accessible by default. maybe a small wrapper script to enable/disable,
> > or it could be plugged into an existing framework (will a2enmod work for
> > stuff that's only .conf and not .load files maybe?).
>
> Well, I think it misses the target audience if it's not enabled by default.
yeah, i suppose you're right. but still i'd prefer a way that it could be
turned on/off easily since rm'ing files installed by a package is less than
ideal :)
also, along the "out of the box" lines, perhaps it would be good to split out
the authentication information into an include file shipped in /etc (or maybe
dump the entire file in /etc...)? i.e. do we want to ship a default config
of attempting to connect to a pgsql database with the password "foobar"?
> I'm guessing you're concerned about this being a security problem by virtue
> of being an information leak? It seems to me that the only information
> being leaked is whether there's a mysql server or a postgresql server
> available on the local machine.
hopefully, yes the only potential is an information leak. but like the spate
of phpinfo() vulnerabilities a year ago or so, there's always the potential
that it could be used as leverage for something else. having read through
the file just now i don't really see any issue though (besides the one i
brought up above about auth info).
sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20080110/0c62f7b3/attachment-0001.pgp
More information about the pkg-php-maint
mailing list