a lot of applications have dubious default installations, where one can login with a default username/password, or otherwise gain control of the application without requiring credentials. i think it would be wise to address this in the policy draft. specifically, i think web apps should be required to not have a default login (default to debian or the application), and if it is not possible to prevent this, the application should not be accessible by default, or at the very least the admin should be warned of this and given the option to abort the install. how this would pan out in a real world situation would not be very generalizable, but again hooks/infrastructure could probably be put in place to support this. thoughts? sean --
Attachment:
signature.asc
Description: Digital signature