httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: 1.3b8
Date Fri, 29 May 1998 01:14:41 GMT
I'm sure that one possible response would be "they have access to
the code; they can change it. Thus, we allow it to be a "configurable"
option. :/

However, not everyone want to recompile and we do provide pre-builts
for many OSs. Why not simple expand ServerTokens to allow for None?

Marc Slemko wrote:
> 
> On Thu, 28 May 1998, Dean Gaudet wrote:
> 
> > Look up the definition of SHOULD please.  We are fully compliant.
> 
> No, we are "conditionally compliant" as opposed to "unconditionally
> compliant".  I'm not sure what definition "fully" has.
> 
> In any case, I think there are other SHOULDs we don't do.
> 
> > 
> > Dean
> > 
> > On Thu, 28 May 1998, Rodent of Unusual Size wrote:
> > 
> > > Dean Gaudet wrote:
> > > > 
> > > > I'd rather not have that.  I rather like the very minimal
> > > > advertising we get from having a Server: header on all our
> > > > servers... except for those of folks clueful enough to edit
> > > > source anyhow.
> > > 
> > > We probably shouldn't call ourselves "fully HTTP/1.1 compliant,"
> > > then, since being able to turn off the Server header field emission
> > > is a SHOULD.  From RFC 2068:
> > > 
> > > >14.39 Server
> > > >     Note: Revealing the specific software version of the server may
> > > >     allow the server machine to become more vulnerable to attacks
> > > >     against software that is known to contain security holes. Server
> > > >     implementers are encouraged to make this field a configurable
> > > >     option.
> > > 
> > > >15.4 Transfer of Sensitive Information
> > > >    Revealing the specific software version of the server may allow
> > > >    the server machine to become more vulnerable to attacks against
> > > >    software that is known to contain security holes. Implementers
> > > >    SHOULD make the Server header field a configurable option.
> > > 
> > > Personally, I'd rather be fully compliant and give our users
> > > the ability to turn it off altogether (how many are going to?) than
> > > have my ego stroked by the count of servers out there.  Although
> > > it's a close call.. :->
> > > 
> > > #ken	P-)}
> > > 
> > > Ken Coar                    <http://Web.Golux.Com/coar/>
> > > Apache Group member         <http://www.apache.org/>
> > > "Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>
> > > 
> > 
> 
> 


-- 
===========================================================================
   Jim Jagielski   |||   jim@jaguNET.com   |||   http://www.jaguNET.com/
            "That's no ordinary rabbit... that's the most foul,
            cruel and bad-tempered rodent you ever laid eyes on"

Mime
View raw message