Package: debian-policy Version: 3.5.5.0 Severity: wishlist In going over some ancient policy proposals, I came across #23661, which proposed eliminating default http access to /usr/share/doc. The conversation wandered off into the usual "we shouldn't have services remotely accessible by default" discussion, but I'd like to make the following specific proposal (in section 12.5, bullet item 2:)
--- policy.sgml.orig Tue Jun 12 11:27:48 2001 +++ policy.sgml Tue Jun 12 11:34:47 2001 @@ -6494,6 +6494,13 @@ http://localhost/doc/<var>package</var>/<var>filename</var> </example> </p> + <p> + The web server should restrict access to the document + tree so that only clients on the same host can read + the documents. If the web server does not support such + access controls, then it should not provide access at + all, or ask about providing access during installation. + </p> </item> <item><p>Web Document Root</p> I would not object to an ammendment that removed "not provide access at all, or " from the second sentence. I would object to changing the shoulds to musts, as the present condition has long history, and I don't see this as a critical change. Note that in the discussion of 23661 (http://bugs.debian.org/23661) it was concluded that though to some extent this is "security through obscurity", handing a cracker your complete list of installed software was probably not a good idea. I'm asking for seconds. Steve Greenland -- [EMAIL PROTECTED]
