On Wed, Jun 19, 2002 at 02:20:04PM -0700, Ryan Bloom wrote: > > I'm sorry to have to revisit this, but I'm going to have to -1 this > > whole thing. I don't want to have to go and enable all of my error > > docs just because some admins believe it exposes them to risk, > > which of course is total bunk. > > This argument is complete bunk. The problem is simple. We provide a > directive that disables showing server information in the error log. > With the default for our custom logs being to show that information, it > is completely non-intuitive that if I disable the feature in the config > file the error docs will ignore that config.
Then tie it to the directive, and don't disable it by default. Having to deal with this in two places makes no sense. That's what I'm vetoing. Although I'm opposed to it, I haven't vetoed the directive itself. Having the option to turn it off is at least a compromise. I tend to think that by even having the option we are giving some hope to an administrator that by turning off the verions he is somehow protecting himself. > Simply by principle of least astonishment, the default should be the > most restrictive, so that people who decide to be the most restrictive > won't have to go changing things. I don't know what you mean by restrictive. Apache should be safe to run with the default configurations. Having a server string does not in any known way increase risk. > I would also remind you that there are people on this list who run major > servers who _don't_ give out version information. That may be because > their company demands it, or it may be because they believe it is more > secure. It really doesn't matter. Irrelevent. These people have the ability to remove the server string from their server by mere fact that they have the source. We are doing them a favor by simply making it a runtime option. > Having the information in the error pages by default is bogus. Either > add another variable, or leave it out. Adding it back in completely is > completely wrong. And I'm saying tie it to the directive or don't change it from how it's been for a long long time. -aaron
