[pkg-lighttpd] Bug#600050: Bug#600050: /etc/lighttpd/conf-available/15-fastcgi-php.conf: fastcgi-php file missing a required directive

Arno Töll debian at toell.net
Thu Apr 7 15:24:11 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07.04.2011 16:41, Olaf van der Spek wrote:
> I'm not sure the manual says anything about this one.

Sure it does, if we consider upstream's Wiki as manual at least:

>> Note
>> This means you need to include the line
>> server.modules += ( "mod_fastcgi" )
>> ...
>> in your lighttpd.conf file. Without this, you'll get the error
>> 
>> WARNING: unknown config-key: fastcgi.server (ignored)
>> 
>> when trying to use lighttpd with fastcgi and, for example, php.

See http://redmine.lighttpd.net/wiki/lighttpd/Docs%3AModFastCGI.
Straight on top :)

> No.
> It does increase the amount of code that's executed, but (IMO) not in
> a significant way. FastCGI is not some obscure module.
> If loading the module does affect safety in a significant way one
> should probably avoid the entire webserver.

Safety is the minimization of unwanted risks. This is, how an engineer
defines safety. For security this reads: avoid unneeded threats whenever
you can. The code you don't execute can't lead to a vulnerability.
Especially if you execute it unnecessarily.

It's as simple as that.

> Ideally the module would unload itself when not configured.

I'm unsure if a module should apply this kind of heuristics since I tend
to state "software should not start to think on behalf of the
administrator being too lazy to configure things".

> I agree about those goals, so the question is: what is core functionality?

Bear in mind we discuss about a web server, that is essential core
functionality is well defined by HTTP 1.1
[http://tools.ietf.org/html/rfc2616]. That means: Everything needed to
run a fully compliant HTTP 1.1 web server is enough for the
functionality /everyone/ expects when installing lighttpd.

For lighttpd this requires the core components only, that can't be
loaded (or unloaded).

Now let's take a look in the trunk's lighttpd.conf:

>>server.modules = (
>>        "mod_access",
>>        "mod_alias",
>>        "mod_compress",
>>        "mod_redirect",
>>#       "mod_rewrite",
>>)

As we are packaging for Debian we need to be conform to Debian's Policy
Manual § 11.5
[http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl].
Following that we require an alias for /cgi-bin, /doc and /images, hence
mod_alias is required (what happened to the DPM compatible configuration
by the way, the current configuration looks like as if it would violate
the DPM?)

mod_access provides url.access-deny which is a good idea too, although
this probably should include .htaccess as well, since a lot of people
leave those files in their doc roots as well, even if they are useless
for Lighttpd.

mod_compress might be technically a good idea, but it is not required
for core functionality. I would suggest not to remove it completely, but
to comment it out and leave it as hint to the user.

mod_redirect is not used at all in its default configuration currently.

Note I also dislike to split up configuration into dozens of files, so I
would suggest not to remove some basic configuration quirks, but to
leave the administrator the choice whether he wants to activate a
certain option (set) or ship alternative configuration files.

(Note I also asked to join the pkg-lighttpd team earlier today through
Alioth, since we are getting off topic here)

- -- 
with kind regards,
Arno Töll
GnuPG Key-ID: 0x8408D4C4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNndcbAAoJELBdpXvEXpo9oLoP/1Wgh2a0ClnkPqR3WCZAf+Xo
x0yMGSvuSocTgGUpzMUkbRp0u3xqAUMczITNWcSagNt0GIhcQqeb+5gqkGLfqoOF
Iai5tQ9aSByPBON7WyobqVzsK/bWfHuFW3KYxcUjHQWKk+H1pSyaiZpChyimD+FG
I52p9ZriqQWIrJ4pAigeKK0dCXKmr7Cx12jQHh+IfCRRHMLvYN9iGr8O9vXExoby
8Dm5qfCL0GJU2GH1lduwDSz9NvYE81AZe+rDqeda/pIjlJQKUDxNZMEbOqjs3JcP
5TTfscs3+aUdtDR3TCcJ9+nBt/Ltd9Z6nCgokXTF7i2y8Y/WzJ5NCInSH3YVaIlC
3sMVpcYhy5ZsOAJvEawrSDhtXfN2nplnk4T76o0wSfA2hQPIHYvXnN9225aDXehS
YrNcOfPP/G8gzya0+P/qR9vpdpj04Y1bZhJ2ZgmyrVO4hjV0Mawu2rcb2W1zmZuh
zOEO4K+FJHBI1fksfF+kqQdpjPpi4xo94ro+458DhVjKT0xYq+kEuyi9PBl1mFAU
hIvGa1N66UAFgvzguFmAhH/AYA9pEQCj2fBLIPaZ+WrPj25k7ei+m7u3H4ZmHk0P
cTShskvsbrpylgZa/x8YW1/iZG5eJlAxgn3TK6N18/VO/3Jb1xqaTvATREcuogVz
ch7cyyekHDZNxoOQQn6p
=TVG6
-----END PGP SIGNATURE-----

More information about the pkg-lighttpd-maintainers mailing list