[pkg-lighttpd] Bug#600050: Bug#600050: /etc/lighttpd/conf-available/15-fastcgi-php.conf: fastcgi-php file missing a required directive

[Olaf van der Spek]

On Thu, Apr 7, 2011 at 3:26 PM, Arno Töll <debian at toell.net> wrote:
>> I think a majority of users use the module.
>
> I don't think you should draw conclusions for the majority of users
> based on your personal taste. Indeed the majority of users chooses
> Debian because of its minimalistic approach (read: You don't need to
> throw away stuff and packages on a freshly installed system/package).
>
> That said you shouldn't assume FastCGI is used by virtually everyone,
> since Lighttpd makes an excellent httpd daemon for serving static
> content for example (which is how I use it very much).
>
> I admit it wouldn't be such an issue to disable FastCGI if you don't
> need it, but on the other hand, why activate it unless really necessary?
> Especially since FastCGI, as "door" to server side code execution /can/
> be a security threat.
>
> Don't get me wrong, I'm not offensed if you oppose about my patch, but I
> think it solves the problem in a much cleaner way than assuming
> something for some people for some use cases. Moreover it solves the
> problem for people being too lazy reading manual pages, since all they
> need to do is to activate the FastCGI handler they want and dependencies
> resolve to other modules required to run that handler.

Hi Arno,

I said your idea/patch is fine. That doesn't mean I oppose it. ;)

How does my approach require someone to read the manual?
How is a loaded but unconfigured module a security threat?

I'm not assuming it's used by everyone, but I am assuming it's used by
a majority.

Greetings,

Olaf