user [email protected] usertags 715804 normative discussion thanks
Le Thu, Jul 11, 2013 at 01:24:45AM +0800, Thomas Goirand a écrit : > Package: debian-policy > Severity: important > > The Debian policy for web apps still references /doc as accessible > through the web (see point 3 of chapter 11.5), though it has been removed > for security reasons. The policy should be updated. Hi Thomas, basically, what you propose is the following: diff --git a/policy.sgml b/policy.sgml index 1508231..2651a1a 100644 --- a/policy.sgml +++ b/policy.sgml @@ -9668,27 +9668,6 @@ http://localhost/cgi-bin/<var>cgi-bin-name</var> before <var>cgi-bin-name</var>). </item> - <item> - <p>Access to HTML documents</p> - - <p> - HTML documents for a package are stored in - <file>/usr/share/doc/<var>package</var></file> - and can be referred to as - <example compact="compact"> -http://localhost/doc/<var>package</var>/<var>filename</var> - </example> - </p> - - <p> - The web server should restrict access to the document - tree so that only clients on the same host can read - the documents. If the web server does not support such - access controls, then it should not provide access at - all, or ask about providing access during installation. - </p> - </item> - <item> <p>Access to images</p> <p> I note that /doc was only to be served locally. How did that cause security issues ? Anyway, if the webservers that we distribute have dropped that functionality (can you confirm that it is not just apache2 ?), then I also support adjusting the Policy accordingly. Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
