[php-maint] Bug#582204: Bug#582204: expose_php does more than include X-Powered-By header.

[Thijs Kinkhorst]

Hi Simon,

On Thu, February 14, 2013 00:28, Simon Waters wrote:
> The toggle has two values.
>
> On - default
>  Inserts X-Powered-By header with PHP version.
>  Causes phpcredits page, PHP and ZEND LOGOs to be displayed in
> unexpected fashion where people's webpages would be expected.

Can you clarify this? Exactly when do you get those logo's instead of
people's webpages?

> Anyone wishing to obtain compliance to credit card industry standards
> must disable it.

Yes, this is true. I don't agree with them, but indeed Debian needs to
consider what's easiest for their users: as you said, no one will be hurt
when it's turned off or would turn it on, while a significant number of
people want to turn it off. It seems that turning it off will be the
default that minimizes effort across the board with no real cost. I think
it's desirable that a Debian system is PCI compliant 'out of the box' - as
long as there are no significant drawbacks in those choices.

Unfortunately current PCI testing leaves a lot to be desired.

> Leaving it on creates work for users, who often have to or wish to
> disable it, produces unexpected behaviour, and consumes more bandwidth.

> PHP5.5 will remove the display of phpcredits, and logos, but retains the
> X-Powered-By header, and so will still require disabling of this feature
> on most serious deployments, but upstream presumably thought the display
> of credits and logos an issue enough to remove it from the code base
> entirely. My brief inspection of the 5.5a4 code suggests this parameter
> will just toggle the X-Powered-By header in 5.5 and later.

In any case, due to the freeze, we're only able to change this for the
release after wheezy, jessie, which will have PHP 5.5. So the images part
is probably moot anyway.

All in all, I agree we should turn the option off in jessie.


Cheers,
Thijs