Quoting Stuart Prescott (2017-10-12 11:14:28) > your opinions on the security implications of enabling an http server > within cantata (an mpd client) to send local files to mpd are desired. > The changes that Jonas describes are now in a new upstream release > that I'd like to upload soon.
I believe both the MPD protocol itself and the streaming protocol it supports are unencrypted, and MPD is therefore sensible to use only within a trusted network. I see no need to disable the ability for our users to enable an additional unencrypted side-channel for MPD-related traffic. Instead of disabling the feature, it might make sense to mention the embedded http daemon in long description and README.Debian with a suggestion to install a personal firewall, and have the package suggest firewalld. You might also file a bug upstream to suggest isolating that mechanism as a plugin, so that it could be packaged as a separate binary package, allowing our users to explicitly avoid the feature completely, while still enjoy the rest of the program. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
