For us developers the version number is often important to help debug things. Many unexpereicned users often do not know which version they are using, and it has been a tremendous help for our forum support up to know.
If one does not want version strings, he can set the $serendipity['expose_s9y'] variable to false.
Also, security through obscurity does not really hinder the impact - hackers would still simply attack a site with known exploits, not even taking the time to check a version.
I agree that removing a version number can tighten security, but IMHO the benefits for usual users are higher to not have that be the default s9y option.
Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
garvinhicking wrote:If one does not want version strings, he can set the $serendipity['expose_s9y'] variable to false.
It looks like the Powered-By meta tag is hardcoded in most templates and it doesn't depend on the expose_s9y variable. I think think that is what Marcus was refering to.
Regards,
Stefan
If Java had true garbage collection, most programs would delete themselves upon execution. (Robert Sewell)
It looks like the Powered-By meta tag is hardcoded in most templates and it doesn't depend on the expose_s9y variable. I think think that is what Marcus was refering to.
The s9y core takes care of setting $serendipity['version'] to a string that no longer contains the version number. So once this expose_s9y variable is set, the version is also no longer exposed in any template.
Regards
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/