From 127f50a7a05a3c6bb63617f4a5b69132dc8474a6 Mon Sep 17 00:00:00 2001
From: Oliver Gorwits <oliver@cpan.org>
Date: Mon, 26 Aug 2013 17:54:05 +0100
Subject: [PATCH] improve security notice on communit rw string

---
 .../lib/App/Netdisco/Manual/Configuration.pod   |  4 ----
 .../lib/App/Netdisco/Manual/ReleaseNotes.pod    | 17 ++++++++++++++++-
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/Netdisco/lib/App/Netdisco/Manual/Configuration.pod b/Netdisco/lib/App/Netdisco/Manual/Configuration.pod
index 6122babd..58a52b56 100644
--- a/Netdisco/lib/App/Netdisco/Manual/Configuration.pod
+++ b/Netdisco/lib/App/Netdisco/Manual/Configuration.pod
@@ -646,10 +646,6 @@ C<portctl_timeout>
 
 =item *
 
-C<portcontrol>
-
-=item *
-
 C<snmpforce_v1>
 
 =item *
diff --git a/Netdisco/lib/App/Netdisco/Manual/ReleaseNotes.pod b/Netdisco/lib/App/Netdisco/Manual/ReleaseNotes.pod
index 6a557738..94192346 100644
--- a/Netdisco/lib/App/Netdisco/Manual/ReleaseNotes.pod
+++ b/Netdisco/lib/App/Netdisco/Manual/ReleaseNotes.pod
@@ -19,7 +19,22 @@ You can now configure LDAP authentication for users.
 =head2 Security Notices
 
 The read-write SNMP community is now stored in the database, when used for the
-first time on a device.
+first time on a device. If you don't want the web frontend to be able to
+access this, you need to:
+
+=over 4
+
+=item *
+
+Have separate C<deployment.yml> files for web frontend and daemon, such that
+only the daemon config contains any community strings.
+
+=item *
+
+Use separate Postgres users for web frontend and daemon, such that the web
+frontend user cannot SELECT from the C<community> DB table.
+
+=back
 
 =head1 2.011000