httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: vote on concept of ServerTokens Off
Date Wed, 02 Sep 2009 18:15:09 GMT
Guenter Knauf wrote:
> Hi,
> William A. Rowe, Jr. schrieb:
>> Jim Jagielski wrote:
>>> Lars Eilebrecht wrote:
>>>> According to Jeff:
>>>>
>>>>> A lot of opinions were offered back in August.  Some were negative but
>>>>> I don't see anything that looks like a veto.
>>>> I voted -1 at that time which is a veto.
>>>>
>>>> My opinion hasn't changed and I still think that it is a very
>>>> stupid idea to add a "feature" that allows our users to do
>>>> something which is stupid and absurd.
>>>>
>>>> *shrug* but as everyone seems to think that this is a good idea,
>>>> feel free to ignore my veto.
>>> A Veto is a Veto. If you feel strongly enough about it, then
>>> it cannot be, and should not be, ignored.
>> Lars,
>>
>> yours is the last veto standing for ServerTokens Off.  What say you?
>>
>> (Your veto would appear to imply a veto of any ServerTokens Set syntax).
> 
> If we would vote now, I would vote against. It makes no sense at all,
> and folks who believe that hiding ServerTokens would make their server
> more secure or relax the requirement to update for security bugfixes are
> complete idiots who have never looked into their server logs.

That was not the only point raised in the Server: toggle off debate.  The
major reason was to trash all the bug reports and user queries about this
issue, which show up daily at #httpd and several times a month on users@.
It's a distraction that helpful peers should not need to keep answering.

And the other minor point was applications where the user wanted to save
the bandwidth handful of bytes per response.  Not compelling justification,
but not a nonsensical request (unlike "how do I protect my server by...")

> Also, I think we have some new folks here who also might want to vote,
> and we should probably vote again?

And if they want to, they will.  There is a thread, though it's two years
old.  No need to start a new vote/thread.  There were an overwhelming
number of votes in favor, so other than outstanding vetoes, there is no
reason not to finish ServerTokens Off if someone like Jim or Jeff just
comes along and commits it [if and once Lars lifted his veto].


Mime
View raw message