Red Hat Bugzilla – Bug 235682
gnome-user-share pulls httpd into a default desktop install!
Last modified: 2014-01-21 17:57:47 EST
0) Why is the Apache web server installed on this desktop?
1) Hmmm -- gnome-user-share depends on httpd.
2) gnome-user-share is in the Gnome Desktop Environment group by default.
3) Having httpd pulled in by default for a desktop install is bad.
4) Fortunately, httpd doesn't start by default.
5) But in that case, really, what's the point anyway?
6) Or, wait: the gnome-user-share readme file says "when file sharing is
enabled a webdav server is started.
7) Oh god, this thing spawns an Apache httpd subprocess.
9) Hey, I know! Here's a gun. Let's shoot our users in the feet some more.
10) Dance, end users, dance!
Seriously, easy file sharing is nifty and all, but this is just asking for it.
Please, we need to stop installing this by default. Think of the children.
Forgive my ignorance, but *why*, exactly, is this bad? If the user chooses to
enable/disable the sharing feature, then the httpd server process is spawned or
not with a limited gnome-user-share WebDAV configuration, accordingly.
For one, we *could* simply re-implement WebDAV in a separate utility for just
the purpose of gnome-user-share, but that would be far worse: re-implementing
the wheel unnecessarily.
(In reply to comment #1)
> Forgive my ignorance, but *why*, exactly, is this bad? If the user chooses to
> enable/disable the sharing feature, then the httpd server process is spawned or
> not with a limited gnome-user-share WebDAV configuration, accordingly.
> For one, we *could* simply re-implement WebDAV in a separate utility for just
> the purpose of gnome-user-share, but that would be far worse: re-implementing
> the wheel unnecessarily.
I've started reading through the rest of the thread and feel I now better
understand your opinion on the matter; so nevermind me, and sorry for this bug
> Seriously, easy file sharing is nifty and all, but this is just asking for it.
Not to repeat the mailing list thread, but what exactly is it asking for, in
your opinion ? Imo, this is a clear WONTFIX. To implement file sharing via
webdav, you need a server. And it is _far_ better to use the industry standard,
rather than a
If anything, you could argue that this bug is about finer-grained apache packaging
that allows gnome-user-share to pull in less, e.g. just the httpd binary. If
that is what you are asking for, please move this bug to apache.
I think the immediate solution is to remove this thing from the GNOME Desktop
Environment so it isn't pulled in by default. Or at least make it "optional"
instead of "default".
Splitting the Apache httpd package seems like a good longer-term approach, but
considering how long it took for my suggestion that krb5 have its daemons split
out so they weren't installed on desktop systems to be implemented (and hey,
lookit, critical security fix!
https://rhn.redhat.com/errata/RHSA-2007-0095.html), I think it's pretty clear
that a workaround should be put in place first.
When httpd is split up, then this could be revisited.
Having a daemon installed thats not activated by default is not posing an
immediate threat that justifies removing this feature, IMO. Moving to apache.
Shrug. Your call, I guess.
This is a bad path to be going down, though. We'll be back to Red Hat Linux 6's
stellar security record in no time.
Note that I'm not suggesting completely removing it, but rather moving it from
the default install.
Can you narrow this down to a specific bug (e.g. a dependency which can be
removed) from a vague complaint?
Sure. The gnome-user-share program needs the httpd binary (and presumably the
webdav modules; not sure precisely what else) but not the rest of the server
infrastructure. The issue I'm concerned about would be significantly reduced if
the httpd package were split into subpackages so the minimal set could be
installed. As someone noted on the mailing list, for the sake of continuity it's
probably best for the base "httpd" package to pull in everything the current
package does, but the binary itself (and whatever division of modules makes
sense) could be in a subpackage.
This would be a win on desktops because reducing the amount of server
infrastructure needlessly installed is not only a security bonus but also means
we can fit more on the livecd.
I'm willing to work on making a spec file reflecting this once CentOS 5 related
work gets out of crunch time.
It seems like this needs to be worked through on the list, this is still a vague
"we need more subpackages" (or something) without identifying exactly what or
why. Can you re-open this once you've have time to come up with something more
I don't see why gnome-user-share (and deps thereof) need to be on the live CD at
all, it's hardly a critical desktop component.
I've been told by multiple people that "don't include gnome-user-share" is not
an acceptable answer.
Punting the bug back and forth between two groups who don't want to change
*their* thing is also not an acceptable answer.
Since gnome-user-share can't work without some portion of httpd but clearly
doesn't need everything, splitting out those portions seems like the most
sensible compromise approach.
I don't mean to sound grumpy, and as noted, I'll track this down because Fedora
is important to me, once I've cleared some other stuff on my plate. But it seems
like if Fedora / Red Hat is important to *you*, you wouldn't *want* to wait
until some outsider comes along and fixes things for you.