Bug#447764: [php-maint] Bug#447764: Bug#447764: libapache2-mod-php5: updated debdiff
On Thu, 10 Jan 2008, sean finney wrote: also, along the out of the box lines, perhaps it would be good to split out the authentication information into an include file shipped in /etc (or maybe dump the entire file in /etc...)? i.e. do we want to ship a default config of attempting to connect to a pgsql database with the password foobar? What if rather than using 'foobar' it was just a blank password? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#447764: [php-maint] Bug#447764: Bug#447764: libapache2-mod-php5: updated debdiff
hey steve, On Tuesday 08 January 2008 10:29:29 am Steve Langasek wrote: Hmm, 54 packages in lenny still disagree with you. :) I'll admit I wasn't happy with the idea of putting it in /var/www, but AFAIK if there's a new best practice that should supersede this, it isn't published very widely? ehem: http://webapps-common.alioth.debian.org/draft/html/ch-issues.html#s-issues-fhs which is, btw, linked from the developers' corner :) - i'm not sure if this is something we want enabled or at least globally accessible by default. maybe a small wrapper script to enable/disable, or it could be plugged into an existing framework (will a2enmod work for stuff that's only .conf and not .load files maybe?). Well, I think it misses the target audience if it's not enabled by default. yeah, i suppose you're right. but still i'd prefer a way that it could be turned on/off easily since rm'ing files installed by a package is less than ideal :) also, along the out of the box lines, perhaps it would be good to split out the authentication information into an include file shipped in /etc (or maybe dump the entire file in /etc...)? i.e. do we want to ship a default config of attempting to connect to a pgsql database with the password foobar? I'm guessing you're concerned about this being a security problem by virtue of being an information leak? It seems to me that the only information being leaked is whether there's a mysql server or a postgresql server available on the local machine. hopefully, yes the only potential is an information leak. but like the spate of phpinfo() vulnerabilities a year ago or so, there's always the potential that it could be used as leverage for something else. having read through the file just now i don't really see any issue though (besides the one i brought up above about auth info). sean signature.asc Description: This is a digitally signed message part.
Bug#447764: [php-maint] Bug#447764: Bug#447764: libapache2-mod-php5: updated debdiff
On Mon, Jan 07, 2008 at 11:14:39AM +0100, sean finney wrote: hey folks, On Monday 07 January 2008 10:39:01 am Steve Langasek wrote: Overall, I think this is a reasonable thing to add to the package. Sean, are you ok with it? i'm surprised i didn't comment on this.. must have lost my draft or something. anyway, i think the idea in theory is nice, i haven't actaully checked the contents of the page itself. however: - i don't think we should be dropping files in /var/www. we could accomplish the same with an alias/scriptalias in a config file. Hmm, 54 packages in lenny still disagree with you. :) I'll admit I wasn't happy with the idea of putting it in /var/www, but AFAIK if there's a new best practice that should supersede this, it isn't published very widely? - i'm not sure if this is something we want enabled or at least globally accessible by default. maybe a small wrapper script to enable/disable, or it could be plugged into an existing framework (will a2enmod work for stuff that's only .conf and not .load files maybe?). Well, I think it misses the target audience if it's not enabled by default. I'm guessing you're concerned about this being a security problem by virtue of being an information leak? It seems to me that the only information being leaked is whether there's a mysql server or a postgresql server available on the local machine. If someone is in a position to exploit this fact, presumably they don't need the PHP test page to tell them it's there? Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#447764: [php-maint] Bug#447764: Bug#447764: libapache2-mod-php5: updated debdiff
hey folks, On Monday 07 January 2008 10:39:01 am Steve Langasek wrote: Overall, I think this is a reasonable thing to add to the package. Sean, are you ok with it? i'm surprised i didn't comment on this.. must have lost my draft or something. anyway, i think the idea in theory is nice, i haven't actaully checked the contents of the page itself. however: - i don't think we should be dropping files in /var/www. we could accomplish the same with an alias/scriptalias in a config file. - i'm not sure if this is something we want enabled or at least globally accessible by default. maybe a small wrapper script to enable/disable, or it could be plugged into an existing framework (will a2enmod work for stuff that's only .conf and not .load files maybe?). sean signature.asc Description: This is a digitally signed message part.