On Mon, Jun 23, 2008 at 9:23 PM, Arvid Ephraim Picciani <aep@xxxxxxxxxxxxxxx> wrote: >> I think you're confused >> because "sane defaults" usually coincides with "defaults from >> upstream". Not all upstream maintainers are sane. > > Right thats the phylosphical problem i have. I believe the apache project > knows alot more about apache then some random bash hackers who call > themself "distro developers" . Sorry for replying on this point, I really shouldn't, but I couldn't resist. If you think Aaron is a 'random bash hacker', just take a look at code.phraktured.net and find out what > I found it always painfull how much distros > believe to do things better. Just look at debian who even criples packages > unti they are ABI incompatible. arch was different, they (whoever i refer > to, sounds almost like a dream i had, not reality) always agreed that the > upstream is the autority for their software. > Now you call them insane but at the same time defend a technicaly wrong > downstream version -- the arch http config just works becouse the upstream > knows that alot of distros screw up and so they keep the legacy support. > Despite they wrote to your tracker since ages btw. These are dark days where > the upstream has to report bugs to the downstream. sigh. > >> There are many >> packages that have shipped custom Arch config changes since I've been >> here. it's an issue with "change". > > Good point, i was very happy with the old arch so i might overact on every > little change. It began with a sudden change in irc, when suddenly people got > kicked out for beeing "leet" and unfriendly to the newbies. When i joined > arch people got kicked out for demanding hand holding. Made me pretty happy > since i opose any kind of hand holding. Now join the channel and look for the > questions.... the level of rtfm dropped to zero. > > > On Monday 23 June 2008 20:37:27 Pierre Chapuis wrote: >> Le Mon, 23 Jun 2008 19:14:58 +0200, >> >> In fact I really meant the page you get when you click on the word "User", >> which is http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user. > > oh. sorry. > >> >> "It is recommended that you set up a new user and group specifically for >> running the server. Some admins use user nobody, but this is not always >> desirable, since the nobody user can have other uses on the system." >> >> and also: >> >> "Don't set User (or Group) to root unless you know exactly what you are >> doing, and what the dangers are." > > yeah, i know that. I'm not saying that you are wrong on the security aspect. > In fact my setup has been exactly like that document says for ages. > i'm just saying that arch used to assume that users actually read this > document _themselfs_. > the user nobody is a sane enought default for end user machines with local > apache for playing/testin/whatever. It's obviously not a correct setup for a > production server, which is why when running a production server, you are > supposed to RTFM! > > Please note that even after you aded that patch, the default arch setup is > still not a correct production setup. > > 1) there are gazillions of bugs in the config > 2) a production setup i supposed to be evaluated by an experienced admin > specificaly for the environment. "Just installing a webserver" is the reason > why we have so many infected machines around. > > -- > mit freundlichen Grüßen / best regards > Arvid Ephraim Picciani > > > -- > mit freundlichen Grüßen / best regards > Arvid Ephraim Picciani > >
