[Python-modules-team] Bug#715804: Debian policy for web apps still references /doc as accessible
Charles Plessy
plessy at debian.org
Sat Jul 13 23:47:24 UTC 2013
Hello,
I am contacting you because you are listed as maintainer of a package
that provides the httpd virtual package. (grep-aptavail -F Provides httpd)
The Debian Policy currently specifies that /usr/share/doc/“package” is served
on localhost by web servers. This has been discontinued with apache2 because
it lead to possible risks of executing example scripts that were not intented
for that purpose. (http://www.debian.org/security/2012/dsa-2452)
We are considering removing the specification about serving /usr/share/doc/“package”
(see below), but before doing so, I would like to know if this is a feature
that is also provided by the web server you maintain.
>
> diff --git a/policy.sgml b/policy.sgml
> index 1508231..2651a1a 100644
> --- a/policy.sgml
> +++ b/policy.sgml
> @@ -9668,27 +9668,6 @@ http://localhost/cgi-bin/<var>cgi-bin-name</var>
> before <var>cgi-bin-name</var>).
> </item>
>
> - <item>
> - <p>Access to HTML documents</p>
> -
> - <p>
> - HTML documents for a package are stored in
> - <file>/usr/share/doc/<var>package</var></file>
> - and can be referred to as
> - <example compact="compact">
> -http://localhost/doc/<var>package</var>/<var>filename</var>
> - </example>
> - </p>
> -
> - <p>
> - The web server should restrict access to the document
> - tree so that only clients on the same host can read
> - the documents. If the web server does not support such
> - access controls, then it should not provide access at
> - all, or ask about providing access during installation.
> - </p>
> - </item>
> -
> <item>
> <p>Access to images</p>
> <p>
Have a nice day,
--
Charles Plessy
Tsurumi, Kanagawa, Japan
More information about the Python-modules-team
mailing list