https://bugzilla.redhat.com/show_bug.cgi?id=844013 --- Comment #4 from Michael Scherer <misc@xxxxxxxx> --- There is no mention of the origin of the favicon : Source1: favicon I am also surprised by some permission, do we want apache to be able to modify all those files : %defattr(-,apache,apache,-) %{brokerdir} %{htmldir}/broker %config(noreplace) %{brokerdir}/config/environments/production.rb %config(noreplace) %{brokerdir}/config/environments/development.rb %config(noreplace) %{_sysconfdir}/httpd/conf.d/000000_stickshift_proxy.conf %attr(0664,-,-) %ghost %{brokerdir}/log/production.log %attr(0664,-,-) %ghost %{brokerdir}/log/development.log %attr(0664,-,-) %ghost %{brokerdir}/httpd/logs/error_log %attr(0664,-,-) %ghost %{brokerdir}/httpd/logs/access_log I see why for logs, but the rest seems to me rather strange, if we run process under the apache uid, they shouldn't mess with anything like rails config and such, in case of compromise of the apache process. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review