Bug 235682 - gnome-user-share pulls httpd into a default desktop install!
gnome-user-share pulls httpd into a default desktop install!
Status: CLOSED DEFERRED
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-09 11:56 EDT by Matthew Miller
Modified: 2014-01-21 17:57 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-10 10:52:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Miller 2007-04-09 11:56:18 EDT
0) Why is the Apache web server installed on this desktop?
 1) Hmmm -- gnome-user-share depends on httpd.
 2) gnome-user-share is in the Gnome Desktop Environment group by default.
 3) Having httpd pulled in by default for a desktop install is bad.
 4) Fortunately, httpd doesn't start by default.
 5) But in that case, really, what's the point anyway?
 6) Or, wait: the gnome-user-share readme file says "when file sharing is
    enabled a webdav server is started.
 7) Oh god, this thing spawns an Apache httpd subprocess.
 8) Seriously.
 9) Hey, I know! Here's a gun. Let's shoot our users in the feet some more.
10) Dance, end users, dance!


Seriously, easy file sharing is nifty and all, but this is just asking for it.
Please, we need to stop installing this by default. Think of the children.
Comment 1 Peter Gordon 2007-04-09 13:28:53 EDT
Forgive my ignorance, but *why*, exactly, is this bad? If the user chooses to
enable/disable the sharing feature, then the httpd server process is spawned or
not with a limited gnome-user-share WebDAV configuration, accordingly.

For one, we *could* simply re-implement WebDAV in a separate utility for just
the purpose of gnome-user-share, but that would be far worse: re-implementing
the wheel unnecessarily.
Comment 2 Peter Gordon 2007-04-09 13:38:38 EDT
(In reply to comment #1)
> Forgive my ignorance, but *why*, exactly, is this bad? If the user chooses to
> enable/disable the sharing feature, then the httpd server process is spawned or
> not with a limited gnome-user-share WebDAV configuration, accordingly.
> 
> For one, we *could* simply re-implement WebDAV in a separate utility for just
> the purpose of gnome-user-share, but that would be far worse: re-implementing
> the wheel unnecessarily.

I've started reading through the rest of the thread and feel I now better
understand your opinion on the matter; so nevermind me, and sorry for this bug
spam. :)
Comment 3 Matthias Clasen 2007-04-09 17:50:55 EDT
> Seriously, easy file sharing is nifty and all, but this is just asking for it.

Not to repeat the mailing list thread, but what exactly is it asking for, in
your opinion ? Imo, this is a clear WONTFIX. To implement file sharing via
webdav, you need a server. And it is _far_ better to use the industry standard,
rather than a 
homegrown solution.

If anything, you could argue that this bug is about finer-grained apache packaging
that allows gnome-user-share to pull in less, e.g. just the httpd binary. If
that is what you are asking for, please move this bug to apache. 
Comment 4 Matthew Miller 2007-04-09 18:04:04 EDT
I think the immediate solution is to remove this thing from the GNOME Desktop
Environment so it isn't pulled in by default. Or at least make it "optional"
instead of "default".

Splitting the Apache httpd package seems like a good longer-term approach, but
considering how long it took for my suggestion that krb5 have its daemons split
out so they weren't installed on desktop systems to be implemented (and hey,
lookit, critical security fix!
https://rhn.redhat.com/errata/RHSA-2007-0095.html), I think it's pretty clear
that a workaround should be put in place first.

When httpd is split up, then this could be revisited.
Comment 5 Matthias Clasen 2007-04-09 19:54:24 EDT
Having a daemon installed thats not activated by default is not posing an
immediate threat that justifies removing this feature, IMO. Moving to apache.
Comment 6 Matthew Miller 2007-04-09 20:59:39 EDT
Shrug. Your call, I guess.

This is a bad path to be going down, though. We'll be back to Red Hat Linux 6's
stellar security record in no time.

Note that I'm not suggesting completely removing it, but rather moving it from
the default install.
Comment 7 Joe Orton 2007-04-10 02:53:54 EDT
Can you narrow this down to a specific bug (e.g. a dependency which can be
removed) from a vague complaint?
Comment 8 Matthew Miller 2007-04-10 08:30:38 EDT
Sure. The gnome-user-share program needs the httpd binary (and presumably the
webdav modules; not sure precisely what else) but not the rest of the server
infrastructure. The issue I'm concerned about would be significantly reduced if
the httpd package were split into subpackages so the minimal set could be
installed. As someone noted on the mailing list, for the sake of continuity it's
probably best for the base "httpd" package to pull in everything the current
package does, but the binary itself (and whatever division of modules makes
sense) could be in a subpackage.

This would be a win on desktops because reducing the amount of server
infrastructure needlessly installed is not only a security bonus but also means
we can fit more on the livecd.

I'm willing to work on making a spec file reflecting this once CentOS 5 related
work gets out of crunch time.
Comment 9 Joe Orton 2007-04-10 10:52:52 EDT
It seems like this needs to be worked through on the list, this is still a vague
"we need more subpackages" (or something) without identifying exactly what or
why.  Can you re-open this once you've have time to come up with something more
specific?

I don't see why gnome-user-share (and deps thereof) need to be on the live CD at
all, it's hardly a critical desktop component.
Comment 10 Matthew Miller 2007-04-10 11:06:10 EDT
I've been told by multiple people that "don't include gnome-user-share" is not
an acceptable answer.

Punting the bug back and forth between two groups who don't want to change
*their* thing is also not an acceptable answer.

Since gnome-user-share can't work without some portion of httpd but clearly
doesn't need everything, splitting out those portions seems like the most
sensible compromise approach.

I don't mean to sound grumpy, and as noted, I'll track this down because Fedora
is important to me, once I've cleared some other stuff on my plate. But it seems
like if Fedora / Red Hat is important to *you*, you wouldn't *want* to wait
until some outsider comes along and fixes things for you.

Note You need to log in before you can comment on or make changes to this bug.