Return-Path: 
 <apache-docs-return-2025-apmail-apache-docs-archive=apache.org@apache.org>
Delivered-To: apmail-apache-docs-archive@apache.org
Received: (qmail 97742 invoked by uid 500); 17 Sep 2001 11:26:42 -0000
Mailing-List: contact apache-docs-help@apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:apache-docs-help@apache.org>
list-unsubscribe: <mailto:apache-docs-unsubscribe@apache.org>
list-post: <mailto:apache-docs@apache.org>
Reply-To: apache-docs@apache.org
Delivered-To: mailing list apache-docs@apache.org
Received: (qmail 97733 invoked from network); 17 Sep 2001 11:26:42 -0000
Date: Mon, 17 Sep 2001 07:26:15 -0400 (EDT)
From: Rich Bowen <rbowen@rcbowen.com>
To: <apache-docs@apache.org>, Allan Liska <allan@allan.org>
Subject: Re: Proposal for Improviing the Security Docs
In-Reply-To: <95265196737.20010916151450@allan.org>
Message-ID: <Pine.LNX.4.33.0109170718340.2798-100000@rhiannon.rcbowen.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

On Sun, 16 Sep 2001, Allan Liska wrote:

> Hello,
>
>   As I mentioned earlier this week, I would like to try to improve the
>   layout of the security docs.  I'd really like feedback from people
>   on this list as to how in-depth the documents should go.  As an
>   example, should we explain how to set permissions for optimal
>   security in an Apache root directory?

Yes. The documentation should be the one location where folks need to
look for information on how to run the Apache server. There are cases
where off-site links may be appropriate, but I tend to think that the
docs should be comprehensive.

>   There is also the problem of duplication.  If we are going to
>   discuss Server Side Includes we obviously have to mention
>   mod_include, but should we also discuss access control using
>   mod_access, or is that too much overlap?

Because we have the docs in HTML, duplication should not be necessary.
Fill in the additional detail in whichever doc it is appropriate, and
provide links.

>   Finally, I would really like to see, at least links if not brief
>   descriptions of Apache security exploits.  I know that information
>   is available on the site, but I would assume people would go to the
>   security section to get that information as well.

I'd be a little wary of this one. What is the reasoning behind this?
It's almost as though you're providing a resource for folks that want to
take advantage of the security exploits. You check on Netcraft ... Ah,
they are running 1.3.9 ... tap tap tap ... Oh, look, there's a security
exploit in 1.3.9 ... tap tap tap ... great, now I have root. Or
whatever. Is this something that is generally recommended by security
experts?

-- 
Nothing is perfekt. Certainly not me.
Success to failure. Just a matter of degrees.


---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org