On 10/12/2017 01:57 PM, Jonas Smedegaard wrote: > Quoting Stuart Prescott (2017-10-12 11:14:28) >> your opinions on the security implications of enabling an http server >> within cantata (an mpd client) to send local files to mpd are desired. >> The changes that Jonas describes are now in a new upstream release >> that I'd like to upload soon. > > I believe both the MPD protocol itself and the streaming protocol it > supports are unencrypted, and MPD is therefore sensible to use only > within a trusted network. > > I see no need to disable the ability for our users to enable an > additional unencrypted side-channel for MPD-related traffic.
+1 > > Instead of disabling the feature, it might make sense to mention the > embedded http daemon in long description and README.Debian with a > suggestion to install a personal firewall, and have the package suggest > firewalld. > > You might also file a bug upstream to suggest isolating that mechanism > as a plugin, so that it could be packaged as a separate binary package, > allowing our users to explicitly avoid the feature completely, while > still enjoy the rest of the program. > or add a configuration option to enable the spawning of the http-server (or prevent it). gfmsadr IOhannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
