This note is being sent as part of a project to clean out old (> 1yr) debian-policy proposals. If you disagree with action below please respond to [EMAIL PROTECTED], not to me, so that the discussion may be carried out publically in debian-policy. Feel free to re-open the bug while it's being discussed -- I'm not trying to force any particular disposition, just taking my best shot at resolving dead issues.
Bug#23661: usr/doc should not be accessible through http servers by default Summary: suggests that http://hostname/doc/ not be available by default, except to localhost clients. "security through obscurity" argument raised, but consensus seemed to be that making ones entired installed program list, including version, available to the internet was perhaps pushing it a bit far. It was noted that later releases of Apache and Boa restricted access, but that doesn't solve the problem generally.It then went on to the "Well, there's a whole bunch of services that shouldn't be available by default". Raul Miller seems to have started examining a way to deal with this, but there's no further note in the BTS after 22 Jun 2000. Discussion: Policy currently says "HTML documents...can be referred to as http://localhost/doc/package/filename";. This could be sufficient to imply that access should, by default, be restricted to localhost, but a guiding comment or footnote should probably be added. One question is what to do about httpds that don't support access controls. Action: I've submitted a new proposal that addresses only the httpd issue that refers to this one.
