Bug#100631: [PROPOSAL] Restrict http access to /usr/share/doc

[Steve Greenland <steveg@moregruel.net>]

Package: debian-policy
Version: 3.5.5.0
Severity: wishlist

In going over some ancient policy proposals, I came across #23661,
which proposed eliminating default http access to /usr/share/doc. The
conversation wandered off into the usual "we shouldn't have services
remotely accessible by default" discussion, but I'd like to make the
following specific proposal (in section 12.5, bullet item 2:)

--- policy.sgml.orig    Tue Jun 12 11:27:48 2001
+++ policy.sgml Tue Jun 12 11:34:47 2001
@@ -6494,6 +6494,13 @@
 http://localhost/doc/<var>package</var>/<var>filename</var>
                </example>
              </p>
+             <p>
+                The web server should restrict access to the document
+                tree so that only clients on the same host can read
+                the documents. If the web server does not support such
+                access controls, then it should not provide access at
+                all, or ask about providing access during installation.
+             </p>
            </item>
 
            <item><p>Web Document Root</p>

I would not object to an ammendment that removed "not provide access
at all, or " from the second sentence. I would object to changing the
shoulds to musts, as the present condition has long history, and I don't
see this as a critical change.

Note that in the discussion of 23661 (http://bugs.debian.org/23661)
it was concluded that though to some extent this is "security through
obscurity", handing a cracker your complete list of installed software
was probably not a good idea.

I'm asking for seconds.

Steve Greenland

-- 
steveg@moregruel.net