On Mon Mar 04, 2002 at 06:44:06PM -0800, David Walser wrote: > > What are you talking about? Enabling Indexes by > > default somehow makes > > Apache work whereas having it off by default > > doesn't? > > Did it ever occur to you that people use Apache for > more than serving websites? Especially desktop users > on networks, your primary userbase? I haven't used > floppies in all of college, I just stick files in my > public_html directory and get them when I need them, I > also use my webserver to get files to people I talk to > on the 'net. Everybody Apache user I know (that use > it on workstations) do the same things.
Not to sound silly or anything, but apache is a web server... we build and configure it as web server. Our aim, with apache, is for it to be a web server. Now, I agree that there are probably a million and one uses for apache, but really... what you do with apache is your business, right? Just because you, and some people you know, use apache this way doesn't mean everyone uses it this way. I certainly never have. If I want a file manager, I'll use Nautilus, or Konqueror, or any other tool that was designed for that task. Since apache is a web server, when we deal with configuration issues, we think of it as a web server. Thus, configuration options suitable for a web server. > > Apache works just *fine* without Indexes. And > > because it is, > > potentially, a security hole (through inappropriate > > disclosure), the > > end user should be forced to enable it where > > appropriate... which is > > exactly the case. > > It is not a security hole, and it's a joke calling it > one. If someone's gonna put files on a public > webserver that they don't want people to get to, they > should either have to disable Indexes themselves (I > mean geez, this is a very small percentage of Apache > users, why punish everybody else?) or use htaccess > (which there's much more documentation on). Well, ok, perhaps "security hole" is not an appropriate phrase. Maybe "security concern" would be a better way to put it. However, as you stated before, we're looking at newbies here... newbies who may not know about .htaccess. In essence, we're helping protect the newbie apache admin. I don't think newbies will install the apache *web server* to act as a file manager.. if they're going to look for a file manager, I don't think they'll be as creative as you and will use a tool intended to be a file manager. As far as calling it "punishing everyone else", that's just as laughable as me calling it a "security hole". I hardly see this as punishment considering you must be savvy enough to make the necessary changes yourself. I really think that there is probably a low percentage of people who decide to take the apache web server and use it as the apache file manager. > > This has absolutely nothing to do with whether > > apache works or not > > "out of the box". > > It absolutely does depending on how you intend to use it. Sure. And we intend for apache to be used as a web server and, again, we configure it as such. If you don't like that, I suppose you could contribute a apache-filemgr package. Besides, this really is a moot point since it likely will not be changing anytime soon. I guess you'll just have to live with that. Sorry. While we can't control what you use a software package for, we can certainly control how we package it. And we've deviced, since a long time ago, to package apache as a web server... if you choose to use it somehow else, then you must deal with reconfiguring it to suit your (nonstandard) needs. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 41 days 1 hour 59 minutes.
msg58409/pgp00000.pgp
Description: PGP signature
