On 2014-09-23 11:25:53 +0200, ilf wrote: > Vincent Lefevre: > >On http://forum.ovh.com/archive/index.php/t-47594.html someone said > > A link to a five year old thread on some random webforum is not exactly a > convincing argument. If you want to have a discussion on law, please link to > the legal text of the law in its official and in effect form.
The link above contains some other links. IIRC, some of them are off-topic (such as anything related to private communications). But there's this one: http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&dateTexte= about "prestataires techniques", i.e. someone who maintains a service but doesn't want to be responsible for what is done with it. The law provides him some protection, but on the other hand, he has some obligations. The French law does *not* enforce these obligations, and someone who maintains a web service is free to ignore them, but in such a case, he no longer has such a protection. One of these obligations is: Les personnes mentionnées aux 1 et 2 du I détiennent et conservent les données de nature à permettre l'identification de quiconque a contribué à la création du contenu ou de l'un des contenus des services dont elles sont prestataires. Basically, it says that one needs to keep some logs that would allow authorities to identify contributors. It doesn't say exactly what, but I suppose that in absence of other data, the IP address and the date/time must be kept (this will be used as a part of the investigation). The duration isn't given in the law but in a "décret" (and I don't have it here -- anyway it's obviously much more than two weeks). Note also that this law is about the creation of public contents. Most of end-user web servers do not offer that. The important point is that there may be very similar issues. For instance, an attacker may compromise a web server and provide his own, illegal contents. Using the logs may allow one to identify the attacker. Without any log, the end user would be taken as responsible (or have a part of responsibility). IMHO, the default should protect end users who have the least knowledge or do the most basic things. Many users don't have a public web server, but they may have a web server installed and running (sometimes automatically due to a dependency) because of various services. For instance, I have ones to test my web site (and access it locally), also used for sensord graphs. They are not publicized. Since they don't contain private data and I want to have access to them from various places, I haven't added specific restrictions (at least at the web server level). I can check in the logs if some people try to do anything bad with them... If in any case, due to some vulnerability, someone compromises the server or uses it as a gateway to do illegal things somewhere else, logs can really be useful. Admins of more important web servers can take some more time to adjust config files (such as log rotation), depending on there needs. But really, for a private web server (or public with minimalist contents), there should be good defaults. Moreover logs can also be useful for tools like fail2ban, and it is not clear whether such a change may affect such tools, at least in every configuration. -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
