RFC: Enabling http transport of files to mpd within an mpd client?
Jonas Smedegaard
jonas at jones.dk
Thu Oct 12 11:57:57 UTC 2017
Quoting Stuart Prescott (2017-10-12 11:14:28)
> your opinions on the security implications of enabling an http server
> within cantata (an mpd client) to send local files to mpd are desired.
> The changes that Jonas describes are now in a new upstream release
> that I'd like to upload soon.
I believe both the MPD protocol itself and the streaming protocol it
supports are unencrypted, and MPD is therefore sensible to use only
within a trusted network.
I see no need to disable the ability for our users to enable an
additional unencrypted side-channel for MPD-related traffic.
Instead of disabling the feature, it might make sense to mention the
embedded http daemon in long description and README.Debian with a
suggestion to install a personal firewall, and have the package suggest
firewalld.
You might also file a bug upstream to suggest isolating that mechanism
as a plugin, so that it could be packaged as a separate binary package,
allowing our users to explicitly avoid the feature completely, while
still enjoy the rest of the program.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
More information about the pkg-multimedia-maintainers
mailing list