[php-maint] Bug#447764: Bug#447764: Bug#447764: libapache2-mod-php5: updated debdiff

sean finney seanius at debian.org
Thu Jan 10 04:36:46 UTC 2008

hey steve,

On Tuesday 08 January 2008 10:29:29 am Steve Langasek wrote:
> Hmm, 54 packages in lenny still disagree with you. :)  I'll admit I wasn't
> happy with the idea of putting it in /var/www, but AFAIK if there's a new
> "best practice" that should supersede this, it isn't published very widely?



which is, btw, linked from the developers' corner :)

> > - i'm not sure if this is something we want enabled or at least globally
> > accessible by default.  maybe a small wrapper script to enable/disable,
> > or it could be plugged into an existing  framework (will a2enmod work for
> > stuff that's only .conf and not .load files maybe?).
> Well, I think it misses the target audience if it's not enabled by default.

yeah, i suppose you're right.  but still i'd prefer a way that it could be 
turned on/off easily since rm'ing files installed by a package is less than 
ideal :)

also, along the "out of the box" lines, perhaps it would be good to split out 
the authentication information into an include file shipped in /etc (or maybe 
dump the entire file in /etc...)?  i.e. do we want to ship a default config 
of attempting to connect to a pgsql database with the password "foobar"?

> I'm guessing you're concerned about this being a security problem by virtue
> of being an information leak?  It seems to me that the only information
> being leaked is whether there's a mysql server or a postgresql server
> available on the local machine.  

hopefully, yes the only potential is an information leak.  but like the spate 
of phpinfo() vulnerabilities a year ago or so, there's always the potential 
that it could be used as leverage for something else.  having read through 
the file just now i don't really see any issue though (besides the one i 
brought up above about auth info).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20080110/0c62f7b3/attachment-0001.pgp 

More information about the pkg-php-maint mailing list