[php-maint] Bug#582204: Bug#582204: php5: expose_php should be off by default to remove X-Powered-By headers
Francois Marier
francois at debian.org
Wed May 19 07:08:01 UTC 2010
On 2010-05-19 at 08:25:31, Ondřej Surý wrote:
> I don't agree with you (however not much strongly). Security by
> obscurity never worked and I am oposed of applying this patch. Hiding
> version makes life harder for everybody else but attacker.
Hi Ondřej,
I certainly agree with you that this is not a real security mechanism,
however, why make it easy on the dump automated scanners?
What do people use these numbers for? I mean sure developers are the ones
who are (occasionally) interested in exact version numbers, but on balance,
I get the feeling that in a production environment, the numbers are more
likely to be used for nefarious purposes.
In any case, we're talking about the default value, interested developers
can probably change them. Personally, as a Debian user, I have the
expectation that Debian will choose (slightly) more secure values by
default.
Anyways, even though I disagree with this specific default value, I will
respect your decision and this bug will be a record that: the option exists
and that it has already been reported (I couldn't find one before I filed
this one).
Cheers,
Francois
More information about the pkg-php-maint
mailing list