[108] in WWW Security List Archive
Re: Administrivia about this list
daemon@ATHENA.MIT.EDU (hallam@dxal18.cern.ch)
Fri Aug 26 18:58:24 1994
From: hallam@dxal18.cern.ch
To: www-security@ns1.rutgers.edu
Date: Fri, 26 Aug 94 20:40:27 +0200
RE what are we talking about?
My reason for being on this list is that it was announced as a development
list. Security of current WWW servers under UNIX is something that one
of the www newsgroups or at a pinch www-talk can handle. All that really
boils down to is administration. Now administration is something that is
best talked about on USEnet where everyone can chip in. The only advantage
of a mailing list is that it stops everyone from chipping in.
One thing about the "comments" that may not exactly be appreciated is
the listing of the people who made them. First off I initially read the
mail as comming from John DiMarco. Secondly I'm not sure as to the generality
of the views made. If you ask the question "What is a simple server for
me to set up" then you are likely to get one response. If you ask "What is a
full featured server providing proxy support" you may get another. Posting
a response from someone in the absence of the question is to say the least
unfair. If you then attach their name to it they may have legitimate cause
for complaint.
To first order there is precious little www security at the moment.
Certainly I don't recommend anyone try to run a nuclear power station using it
yet. That is why the mailing list was set up. We do know that there are base
level O/S concerns. But the main priority is a secure protocol. Until we have
sorted out our own house we needn't go sorting out Thompson's.
Focusing on particular code releases is not relevant to a development list. We
know that there are bugs in the CERN and NCSA daemons. I don't think its
exactly fair to either Rob or Ari to simply guess at the likely number of
security flaws by the number of lines of code. It simply does not work that
way. Much of the complexity in both servers is in trying to make the demented
UNIX file system "safe"-ish. If someone adds in few thousand lines to check
symbolic link handling does that reduce the security of the server or increase
it? Number of code lines and complexity are not directly related. Neither are
security, number of bugs or even functionality.
Phill H-B
