On Mon, Jun 23, 2008 at 9:23 PM, Arvid Ephraim Picciani <aep@ibcsolutions.de> wrote:
I think you're confused because "sane defaults" usually coincides with "defaults from upstream". Not all upstream maintainers are sane.
Right thats the phylosphical problem i have. I believe the apache project knows alot more about apache then some random bash hackers who call themself "distro developers" .
Sorry for replying on this point, I really shouldn't, but I couldn't resist. If you think Aaron is a 'random bash hacker', just take a look at code.phraktured.net and find out what
I found it always painfull how much distros believe to do things better. Just look at debian who even criples packages unti they are ABI incompatible. arch was different, they (whoever i refer to, sounds almost like a dream i had, not reality) always agreed that the upstream is the autority for their software. Now you call them insane but at the same time defend a technicaly wrong downstream version -- the arch http config just works becouse the upstream knows that alot of distros screw up and so they keep the legacy support. Despite they wrote to your tracker since ages btw. These are dark days where the upstream has to report bugs to the downstream. sigh.
There are many packages that have shipped custom Arch config changes since I've been here. it's an issue with "change".
Good point, i was very happy with the old arch so i might overact on every little change. It began with a sudden change in irc, when suddenly people got kicked out for beeing "leet" and unfriendly to the newbies. When i joined arch people got kicked out for demanding hand holding. Made me pretty happy since i opose any kind of hand holding. Now join the channel and look for the questions.... the level of rtfm dropped to zero.
On Monday 23 June 2008 20:37:27 Pierre Chapuis wrote:
Le Mon, 23 Jun 2008 19:14:58 +0200,
In fact I really meant the page you get when you click on the word "User", which is http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user.
oh. sorry.
"It is recommended that you set up a new user and group specifically for running the server. Some admins use user nobody, but this is not always desirable, since the nobody user can have other uses on the system."
and also:
"Don't set User (or Group) to root unless you know exactly what you are doing, and what the dangers are."
yeah, i know that. I'm not saying that you are wrong on the security aspect. In fact my setup has been exactly like that document says for ages. i'm just saying that arch used to assume that users actually read this document _themselfs_. the user nobody is a sane enought default for end user machines with local apache for playing/testin/whatever. It's obviously not a correct setup for a production server, which is why when running a production server, you are supposed to RTFM!
Please note that even after you aded that patch, the default arch setup is still not a correct production setup.
1) there are gazillions of bugs in the config 2) a production setup i supposed to be evaluated by an experienced admin specificaly for the environment. "Just installing a webserver" is the reason why we have so many infected machines around.
-- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani
-- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani