Please follow <URL:http://www.debian.org/MailingLists/#codeofconduct>; specifically, please don't send individual copies of messages you also send to the mailing list, since I haven't asked for them.
Xavier Luthi <[EMAIL PROTECTED]> writes: > On Thu, Apr 10, 2008 at 08:58:51AM +1000, Ben Finney wrote: > > Xavier Luthi <[EMAIL PROTECTED]> writes: > > > > > The webapp won't allow any authentication becasue the password is > > > not set. How to ask for a password? > > > > Some way that the administrator can do so separately from > > installing the package. Ideally, the installation would use the > > same API to set the administrative password if available during > > the install. > > The installation procedure from the upstream source ask for the > administrative password the very first time anyone access the > application (this the "classical" way for a webapp). It may be the "classical" way, but nevertheless it's making an unwarranted assumption. > The assumption is the installation time is the same as the > configuration time, thus reducing to a minimum the time when the > application is "left open". The installation of a network-accessible application (or even one that *could* be made network-accessible) should never have the application "left open" for any period of time. In the absence of proper administrative credentials, the application should refuse all access until such credentials are set. > In the case of the webapp packaged for Debian, the installation time > is not always the same as the configuration time, so it is not an > option to use the upstream method to set the password: this would be > a big security hole. That's why the Debian package of a webapp often > needs to diverge from the upstream source in the way the application > is configured. Such divergence is to be avoided where possible. I suggest, if you're willing, you (as the Debian packager for this package) could work with the upstream developers to close this security hole consistently in the upstream *and* Debian packages. -- \ "...one of the main causes of the fall of the Roman Empire was | `\ that, lacking zero, they had no way to indicate successful | _o__) termination of their C programs." -- Robert Firth | Ben Finney -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
