httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Bannert <aa...@clove.org>
Subject Re: cvs commit: httpd-2.0/docs/error/include bottom.html
Date Thu, 20 Jun 2002 16:24:46 GMT
On Wed, Jun 19, 2002 at 02:20:04PM -0700, Ryan Bloom wrote:
> > I'm sorry to have to revisit this, but I'm going to have to -1 this
> > whole thing. I don't want to have to go and enable all of my error
> > docs just because some admins believe it exposes them to risk,
> > which of course is total bunk.
> 
> This argument is complete bunk.  The problem is simple.  We provide a
> directive that disables showing server information in the error log.
> With the default for our custom logs being to show that information, it
> is completely non-intuitive that if I disable the feature in the config
> file the error docs will ignore that config.

Then tie it to the directive, and don't disable it by default. Having
to deal with this in two places makes no sense. That's what I'm vetoing.

Although I'm opposed to it, I haven't vetoed the directive itself.
Having the option to turn it off is at least a compromise. I tend
to think that by even having the option we are giving some hope to
an administrator that by turning off the verions he is somehow
protecting himself.

> Simply by principle of least astonishment, the default should be the
> most restrictive, so that people who decide to be the most restrictive
> won't have to go changing things.

I don't know what you mean by restrictive. Apache should be safe to run
with the default configurations. Having a server string does not in any
known way increase risk.

> I would also remind you that there are people on this list who run major
> servers who _don't_ give out version information.  That may be because
> their company demands it, or it may be because they believe it is more
> secure.  It really doesn't matter.

Irrelevent. These people have the ability to remove the server string
from their server by mere fact that they have the source. We are doing
them a favor by simply making it a runtime option.

> Having the information in the error pages by default is bogus.  Either
> add another variable, or leave it out.  Adding it back in completely is
> completely wrong.

And I'm saying tie it to the directive or don't change it from how it's
been for a long long time.

-aaron

Mime
View raw message