Debian Weekly News - email

X-Mailer: Mutt 0.95.3i
Date:   Mon, 5 Apr 1999 19:53:35 +0300
From:   "Andrei D. Caraman" <adc@KILI.MEDIASAT.RO>
Subject:      An issue with Apache on Debian

[ Aleph1,

I don't remember this being posted on Bugtraq, but feel free to
kill it, if it's yesterday's news. ]

This pertains to the Apache configuration as shipped with Debian 2.1
(codename slink).

The default setup of Apache (apache_1.3.3-7.deb) makes the /usr/doc
directory available to anyone as  The relevant
line is in the srm.conf file:

	Alias /doc/ /usr/doc/

That would allow any user from the net (malicious or not) to know the
exact version of the software packages installed on a Debian box.  It
looks  more of a privacy issue then a security one.  However, if a
security vulnerability affecting any of those packes is found, attackers
may already know which targets to hit (and maybe the ones to be avoided).

At first I thought that alias should be disabled, but upon further
reading the lines below (`The above line is for Debian webstandard 3.0,
which specifies that /doc refers to /usr/doc. Some packages may not
work otherwise.') I'd say that access to that location should be only
allowed from localhost (note that a web proxy on the same machine might
render that limitation useless).  The site administrator could easily
change that if he/she so needs.

Johnie Ingram (the Apache maintainer for Debian) has been notified, and
replied that this was already formally reported on the Bug Tracking System
by another Debian user (details available here:

including this suggested fix:

	<Directory /usr/doc>
	AllowOverride None
	order deny,allow
	deny from all
	allow from localhost

Johnie said he intended to change the old default it in the following

On March 26 he also stated that a new apache deb package was to be
uploaded on the following day, so I suppose it has already made it's
way to the Debian mirrors.


This is not a serious bug, since the Debian is the safest Linux
distribution.  That's why I'm using it.


I haven't bothered to check other distributions...

Andrei D. Caraman			phone: +40 (1) 2050 637
Network Engineer			  fax: +40 (1) 2050 655
Mediasat SA			 office hours: 10:00 - 18:00 GMT

To: Chris McKillop <>
Subject: Re: Becoming a new Developer
From: James Troup <>
Date: 12 Apr 1999 20:02:51 +0100

Chris McKillop <> writes:

> How long does it usually take for the developer application to be
> processed?  I have heard depressing comments on irc of over 10
> months.  Can anyone confirm/deny this for me?

Some random comments in no particular order, because I can't be
bothered to take the time to write a proper reply to all the mails in
this thread.

Processing can take under 10 minutes or it can take > 1.5 years+.  The
former is rare, but has happened 2 or 3 times, the latter is
surprisingly common, but is always because we're waiting for the
applicant to get back to _us_ and not vice-versa.

Don't believe everything you hear on IRC, or even much from certain
people on IRC.

New maintainer is incredibly annoying for too many reasons to list,
but one particularly relevant annoyance is that applicants
expectations for processing time vary wildly.  I've phoned people
after inexcusable delays, and they've calmly said `That's all right, I
haven't even started on my package yet, and probably won't for a
while'.  Or you get people who have pestered you endlessly for a
speedy processing and then don't do anything as a developer for weeks
if not months after their application is processed.

You can speed up your application by providing all the relevant
information as is laid out in the developers reference.  It's
depressing how many people still don't do this despite the excellent
work of both Christian and Adam.

No, I'm not prepared to put an auto-responder on the address.  Just trust it got there, and if
you're unsure mail us a short note.  We don't mind people pestering us
with short notes after suitable delays.  I do object pretty violently
to people resending large scans, I pay for my calls by the minute and
I'm on a slow 28.8 (and besides, it's a principal thing).  In a
similar vein, please scale down scans, a 500k scan is usually just as
useful as a 5Mb scan.

I'm sorry for all the people that having been waiting a long time.
I'll try and get round to you as soon as possibly can, but read on.

The phone calls do often cause delays.  I do think they're necessary,
and I'm not prepared to stop doing them.  No, I can't email before I
call, simply because I never know when I'll have the time/energy[1] to
call till the last minute and by then there's not much point.

The phone calls are about to become much less of a problem, as I'm
going to start giving out my contact information so people can
_optionally_ phone me, when it's convenient for *them* (with some basic
exceptions [Hi, Ed :p]).  This will be entirely optional, and won't
cost the applicant much (I'll call them right back, if I can), and
will I hope avoid the problems of missing people or people giving us
telephone numbers for what are virtually dedicated modem lines.  I
trialled this last week and with one exception (Hi, Ed :p) it worked
well, and applicants seemed to respond favourably to the idea.

Anyway, I think I've rambled enough.


"The trick is to keep breathing."

[1] The majority of calls are either done (my time) late at night,
very early in the morning (Hi, Ed :p) or early in the morning.  I have
a ridiculously demanding job, which keeps me away from Debian more
than I would like and which requires a certain amount of sleep from me
per night.

To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
From Sun Apr 11 18:07:26 1999
Date: Sun, 11 Apr 1999 11:07:10 -0700
From: "Darren O. Benham" <>
To: Martin Schulze <>
Cc: Marcus Brinkmann <>,
Subject: Re: the logo: logo selections now available!

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

On Sun, Apr 11, 1999 at 11:44:21AM +0200, Martin Schulze wrote:
> Marcus Brinkmann wrote:
> > On Sat, Apr 10, 1999 at 12:33:51PM +0200, Martin Schulze wrote:
> > >=20
> > > I'm sorry, but the first logo contest was neither made public nor
> > > maintainer-publich so doogie has had no chance to intervene before
> Apparently this wasn't phrased good and I was in a hurry.
> The official logo contest (the second) was held in public.
> But the logos we can vote on weren't chosen in public but behind
> closed doors so neither doogie nor myself were able to intervene.
> After that the vote is public.
> You already know that I made an attempt to direct the whole contest
> into a proper direction.  Since I can't decide what the logo team
> does that was all I could do - or make a revolution which is not
> what I want.

There is one other... w/o a revolution.  If there is a logo you like,
propose it as an amendment... if either wichert, the technical commitee or
five other developers agree that the logo should be voted on (sponsor)
it'll be added to the ballot and it doesn't restart the discussion period.

Please cc all mailing list replies to me, also.
*        <>           <><  *
* -------------------- * -----------------------------------------------*
* Debian Developer, Debian Project Secretary, Debian Webmaster          *
* <> <> <>  *
* <> <> <>   *

Content-Type: application/pgp-signature

Version: GNUPG v0.4.3 (GNU/Linux)
Comment: For info finger



To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Weekly News was edited by Joey Hess.