0) Why is the Apache web server installed on this desktop? 1) Hmmm -- gnome-user-share depends on httpd. 2) gnome-user-share is in the Gnome Desktop Environment group by default. 3) Having httpd pulled in by default for a desktop install is bad. 4) Fortunately, httpd doesn't start by default. 5) But in that case, really, what's the point anyway? 6) Or, wait: the gnome-user-share readme file says "when file sharing is enabled a webdav server is started. 7) Oh god, this thing spawns an Apache httpd subprocess. 8) Seriously. 9) Hey, I know! Here's a gun. Let's shoot our users in the feet some more. 10) Dance, end users, dance! Seriously, easy file sharing is nifty and all, but this is just asking for it. Please, we need to stop installing this by default. Think of the children.
Forgive my ignorance, but *why*, exactly, is this bad? If the user chooses to enable/disable the sharing feature, then the httpd server process is spawned or not with a limited gnome-user-share WebDAV configuration, accordingly. For one, we *could* simply re-implement WebDAV in a separate utility for just the purpose of gnome-user-share, but that would be far worse: re-implementing the wheel unnecessarily.
(In reply to comment #1) > Forgive my ignorance, but *why*, exactly, is this bad? If the user chooses to > enable/disable the sharing feature, then the httpd server process is spawned or > not with a limited gnome-user-share WebDAV configuration, accordingly. > > For one, we *could* simply re-implement WebDAV in a separate utility for just > the purpose of gnome-user-share, but that would be far worse: re-implementing > the wheel unnecessarily. I've started reading through the rest of the thread and feel I now better understand your opinion on the matter; so nevermind me, and sorry for this bug spam. :)
> Seriously, easy file sharing is nifty and all, but this is just asking for it. Not to repeat the mailing list thread, but what exactly is it asking for, in your opinion ? Imo, this is a clear WONTFIX. To implement file sharing via webdav, you need a server. And it is _far_ better to use the industry standard, rather than a homegrown solution. If anything, you could argue that this bug is about finer-grained apache packaging that allows gnome-user-share to pull in less, e.g. just the httpd binary. If that is what you are asking for, please move this bug to apache.
I think the immediate solution is to remove this thing from the GNOME Desktop Environment so it isn't pulled in by default. Or at least make it "optional" instead of "default". Splitting the Apache httpd package seems like a good longer-term approach, but considering how long it took for my suggestion that krb5 have its daemons split out so they weren't installed on desktop systems to be implemented (and hey, lookit, critical security fix! https://rhn.redhat.com/errata/RHSA-2007-0095.html), I think it's pretty clear that a workaround should be put in place first. When httpd is split up, then this could be revisited.
Having a daemon installed thats not activated by default is not posing an immediate threat that justifies removing this feature, IMO. Moving to apache.
Shrug. Your call, I guess. This is a bad path to be going down, though. We'll be back to Red Hat Linux 6's stellar security record in no time. Note that I'm not suggesting completely removing it, but rather moving it from the default install.
Can you narrow this down to a specific bug (e.g. a dependency which can be removed) from a vague complaint?
Sure. The gnome-user-share program needs the httpd binary (and presumably the webdav modules; not sure precisely what else) but not the rest of the server infrastructure. The issue I'm concerned about would be significantly reduced if the httpd package were split into subpackages so the minimal set could be installed. As someone noted on the mailing list, for the sake of continuity it's probably best for the base "httpd" package to pull in everything the current package does, but the binary itself (and whatever division of modules makes sense) could be in a subpackage. This would be a win on desktops because reducing the amount of server infrastructure needlessly installed is not only a security bonus but also means we can fit more on the livecd. I'm willing to work on making a spec file reflecting this once CentOS 5 related work gets out of crunch time.
It seems like this needs to be worked through on the list, this is still a vague "we need more subpackages" (or something) without identifying exactly what or why. Can you re-open this once you've have time to come up with something more specific? I don't see why gnome-user-share (and deps thereof) need to be on the live CD at all, it's hardly a critical desktop component.
I've been told by multiple people that "don't include gnome-user-share" is not an acceptable answer. Punting the bug back and forth between two groups who don't want to change *their* thing is also not an acceptable answer. Since gnome-user-share can't work without some portion of httpd but clearly doesn't need everything, splitting out those portions seems like the most sensible compromise approach. I don't mean to sound grumpy, and as noted, I'll track this down because Fedora is important to me, once I've cleared some other stuff on my plate. But it seems like if Fedora / Red Hat is important to *you*, you wouldn't *want* to wait until some outsider comes along and fixes things for you.