httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: --enable-dav
Date Tue, 04 Jul 2000 16:30:04 GMT
On Mon, 3 Jul 2000, Greg Stein wrote:

> On Mon, Jul 03, 2000 at 01:16:27PM +0100, David Reid wrote:
> > Are you saying that in future you won't need to have both mod_dav and
> > mod_dav_fs?  I just think that we should make it easy to enable as we're
> > going to have it disabled by default.
> Actually, I think it should be enabled by default. I just haven't done that
> yet because the config/build stuff is in flux.

I am VERY much against enabling dav by default.  The modules that we
enable by default have always been the modules most people need/use.  We
don't turn on mod_rewrite by default or mod_speling.  At least for 2.0, I
REALLY want dav off by default.  We have no way of really knowing how many
security holes are in the dav stuff, and IMHO dav has a bigger chance of
exposing security issues than most modules.  This has nothing to do with
the code, this has to do with what DAV is used for, and the fact that the
code hasn't really gone through a security review that I know of.

I will be much more in favor of turning on any part of DAV by default in
2.1 or 2.2.


Ryan Bloom               
406 29th St.
San Francisco, CA 94131

View raw message