Debian Weekly News - email
X-Mailer: Mutt 0.95.3i Date: Mon, 5 Apr 1999 19:53:35 +0300 From: "Andrei D. Caraman" <adc@KILI.MEDIASAT.RO> Subject: An issue with Apache on Debian To: BUGTRAQ@NETSPACE.ORG [ Aleph1, I don't remember this being posted on Bugtraq, but feel free to kill it, if it's yesterday's news. ] This pertains to the Apache configuration as shipped with Debian 2.1 (codename slink). The default setup of Apache (apache_1.3.3-7.deb) makes the /usr/doc directory available to anyone as http://some.host/doc/. The relevant line is in the srm.conf file: Alias /doc/ /usr/doc/ That would allow any user from the net (malicious or not) to know the exact version of the software packages installed on a Debian box. It looks more of a privacy issue then a security one. However, if a security vulnerability affecting any of those packes is found, attackers may already know which targets to hit (and maybe the ones to be avoided). At first I thought that alias should be disabled, but upon further reading the lines below (`The above line is for Debian webstandard 3.0, which specifies that /doc refers to /usr/doc. Some packages may not work otherwise.') I'd say that access to that location should be only allowed from localhost (note that a web proxy on the same machine might render that limitation useless). The site administrator could easily change that if he/she so needs. Johnie Ingram (the Apache maintainer for Debian) has been notified, and replied that this was already formally reported on the Bug Tracking System by another Debian user (details available here: https://www.debian.org/Bugs/db/34/34099.html including this suggested fix: <Directory /usr/doc> AllowOverride None order deny,allow deny from all allow from localhost </Directory> ) Johnie said he intended to change the old default it in the following release. On March 26 he also stated that a new apache deb package was to be uploaded on the following day, so I suppose it has already made it's way to the Debian mirrors. <propaganda> This is not a serious bug, since the Debian is the safest Linux distribution. That's why I'm using it. </propaganda> I haven't bothered to check other distributions... Regards, --------------------------------------------------------------- Andrei D. Caraman phone: +40 (1) 2050 637 Network Engineer fax: +40 (1) 2050 655 Mediasat SA office hours: 10:00 - 18:00 GMT
To: Chris McKillop <firstname.lastname@example.org> Cc: email@example.com Subject: Re: Becoming a new Developer From: James Troup <firstname.lastname@example.org> Date: 12 Apr 1999 20:02:51 +0100 Chris McKillop <email@example.com> writes: > How long does it usually take for the developer application to be > processed? I have heard depressing comments on irc of over 10 > months. Can anyone confirm/deny this for me? Some random comments in no particular order, because I can't be bothered to take the time to write a proper reply to all the mails in this thread. Processing can take under 10 minutes or it can take > 1.5 years+. The former is rare, but has happened 2 or 3 times, the latter is surprisingly common, but is always because we're waiting for the applicant to get back to _us_ and not vice-versa. Don't believe everything you hear on IRC, or even much from certain people on IRC. New maintainer is incredibly annoying for too many reasons to list, but one particularly relevant annoyance is that applicants expectations for processing time vary wildly. I've phoned people after inexcusable delays, and they've calmly said `That's all right, I haven't even started on my package yet, and probably won't for a while'. Or you get people who have pestered you endlessly for a speedy processing and then don't do anything as a developer for weeks if not months after their application is processed. You can speed up your application by providing all the relevant information as is laid out in the developers reference. It's depressing how many people still don't do this despite the excellent work of both Christian and Adam. No, I'm not prepared to put an auto-responder on the firstname.lastname@example.org address. Just trust it got there, and if you're unsure mail us a short note. We don't mind people pestering us with short notes after suitable delays. I do object pretty violently to people resending large scans, I pay for my calls by the minute and I'm on a slow 28.8 (and besides, it's a principal thing). In a similar vein, please scale down scans, a 500k scan is usually just as useful as a 5Mb scan. I'm sorry for all the people that having been waiting a long time. I'll try and get round to you as soon as possibly can, but read on. The phone calls do often cause delays. I do think they're necessary, and I'm not prepared to stop doing them. No, I can't email before I call, simply because I never know when I'll have the time/energy to call till the last minute and by then there's not much point. The phone calls are about to become much less of a problem, as I'm going to start giving out my contact information so people can _optionally_ phone me, when it's convenient for *them* (with some basic exceptions [Hi, Ed :p]). This will be entirely optional, and won't cost the applicant much (I'll call them right back, if I can), and will I hope avoid the problems of missing people or people giving us telephone numbers for what are virtually dedicated modem lines. I trialled this last week and with one exception (Hi, Ed :p) it worked well, and applicants seemed to respond favourably to the idea. Anyway, I think I've rambled enough. -- James "The trick is to keep breathing."  The majority of calls are either done (my time) late at night, very early in the morning (Hi, Ed :p) or early in the morning. I have a ridiculously demanding job, which keeps me away from Debian more than I would like and which requires a certain amount of sleep from me per night. -- To UNSUBSCRIBE, email to email@example.com with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
From email@example.com Sun Apr 11 18:07:26 1999 Date: Sun, 11 Apr 1999 11:07:10 -0700 From: "Darren O. Benham" <firstname.lastname@example.org> To: Martin Schulze <email@example.com> Cc: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>, firstname.lastname@example.org Subject: Re: the logo: logo selections now available! --xo44VMWPx7vlQ2+2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable On Sun, Apr 11, 1999 at 11:44:21AM +0200, Martin Schulze wrote: > Marcus Brinkmann wrote: > > On Sat, Apr 10, 1999 at 12:33:51PM +0200, Martin Schulze wrote: > > >=20 > > > I'm sorry, but the first logo contest was neither made public nor > > > maintainer-publich so doogie has had no chance to intervene before >=20 > Apparently this wasn't phrased good and I was in a hurry. >=20 > The official logo contest (the second) was held in public. >=20 > But the logos we can vote on weren't chosen in public but behind > closed doors so neither doogie nor myself were able to intervene. >=20 > After that the vote is public. >=20 > You already know that I made an attempt to direct the whole contest > into a proper direction. Since I can't decide what the logo team > does that was all I could do - or make a revolution which is not > what I want. There is one other... w/o a revolution. If there is a logo you like, propose it as an amendment... if either wichert, the technical commitee or five other developers agree that the logo should be voted on (sponsor) it'll be added to the ballot and it doesn't restart the discussion period. --=20 Please cc all mailing list replies to me, also. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D * http://benham.net/index.html <email@example.com> <>< * * -------------------- * -----------------------------------------------* * Debian Developer, Debian Project Secretary, Debian Webmaster * * <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org> * * <email@example.com> <firstname.lastname@example.org> <email@example.com> * =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --xo44VMWPx7vlQ2+2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GNUPG v0.4.3 (GNU/Linux) Comment: For info finger firstname.lastname@example.org iD8DBQE3EOTObbwt//gBAIoRAVweAKCBMIqcNMLORxD8a0nCxq+W8T8o6gCfRl6O pkFvJNuNNqewx3HneUj3Nyc= =0BOB -----END PGP SIGNATURE----- --xo44VMWPx7vlQ2+2-- -- To UNSUBSCRIBE, email to email@example.com with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.
Back issues of this newsletter are available.
This issue of Debian Weekly News was edited by Joey Hess.