On Aug 7, 2:17 pm, Michael Shadle <[email protected]> wrote: > memcached has never claimed to be "secure" in the sense you're thinking.
In what sense am I thinking? > It's a domain specific application that was designed the lightest way > possible with certain expectations of its usage. My suggestion follows that design. > Do you also want mysql to spit out a warning if its listening on a public ip? Does the documentation for mysql warn admins to not do that? > Do you want your webserver to spit out a notice when its not listening on a > public ip? Ditto. > Some people need the "for external use only" type warnings but honestly if > you don't grok the basics of server administration then you shouldn't be in a > position to do it. I believe that I do (the jury's still out on that question, I only have 25 years experience), but apparently some very well known sites don't. > Or, fork memached (you're totally allowed to) and make a version that offers > kid gloves. Notices on startup reminding you about IP address binding (even > though the config file makes it very clear how to bind) a username/password > in the protocol (slowing it down an negating the original purpose) and why > not also remind the admin to take a shower or eat a healthy breakfast while > you're at it. My suggestion neither slows memcached down nor negates its original purpose. Ditto Loganaden's patch, which to all appearances you should also be objecting to. He's breaking the functionality of documented commands, for gawd's sake; I won't be able to use remote debug or dump the cache. How will I ever be able to find and fix problems?
