RFC: Enabling http transport of files to mpd within an mpd client?
IOhannes m zmölnig (Debian/GNU)
umlaeute at debian.org
Fri Oct 13 19:04:51 UTC 2017
On 10/12/2017 01:57 PM, Jonas Smedegaard wrote:
> Quoting Stuart Prescott (2017-10-12 11:14:28)
>> your opinions on the security implications of enabling an http server
>> within cantata (an mpd client) to send local files to mpd are desired.
>> The changes that Jonas describes are now in a new upstream release
>> that I'd like to upload soon.
>
> I believe both the MPD protocol itself and the streaming protocol it
> supports are unencrypted, and MPD is therefore sensible to use only
> within a trusted network.
>
> I see no need to disable the ability for our users to enable an
> additional unencrypted side-channel for MPD-related traffic.
+1
>
> Instead of disabling the feature, it might make sense to mention the
> embedded http daemon in long description and README.Debian with a
> suggestion to install a personal firewall, and have the package suggest
> firewalld.
>
> You might also file a bug upstream to suggest isolating that mechanism
> as a plugin, so that it could be packaged as a separate binary package,
> allowing our users to explicitly avoid the feature completely, while
> still enjoy the rest of the program.
>
or add a configuration option to enable the spawning of the http-server
(or prevent it).
gfmsadr
IOhannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171013/82809bf6/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list