[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: that webmin port

To: ports@openbsd.org
Subject: Re: that webmin port
From: Ben Goren <ben@trumpetpower.com>
Date: Sat, 4 May 2002 08:49:22 -0700
Content-Disposition: inline
References: <20020504171245.A24684@tetto.liafa.jussieu.fr>
User-Agent: Mutt/1.2.5.1i

On Sat, May 04, 2002 at 05:12:46PM +0200, Marc Espie wrote:

> Being  curious,  I  looked  at  this  last  port  that  is  left
> interactive in our tree.
>
> I'd like some other security conscious people to look at this.
>
> From  what  I've  seen  on   the  webmin  homepage,  I'm  highly
> pessimistic.   It  looks  like  the guys  who  wrote  this  have
> absolutely no clue about security.
>
> e.g.,  this seems  to  me  to be  worse  than  proftpd. and  not
> belonging in our ports tree at all.

Personally,  I'd never  touch Webmin  with a  ten-foot pole...but,
barring major problems not already  apparent, I'd vote for leaving
it in the tree. Most Microsoft  types wouldn't even think of using
OpenBSD at all; showing them that  Webmin exists and is as easy to
use as  the tools they already  use at least opens  the door. It's
probably fair to  say that I've missed out on  at least one decent
job because I tried to steer  an MCSE away from Webmin and towards
the right way to do things.

The fact is, the kinds of people who would use Webmin either don't
care  about  security (as  proven  by  Code Red,  Nimda,  Melissa,
_et_al_)  or don't  understand  what's  going on. (After  multiple
hands-on sessions with OpenBSD and at least a few emails with URLs
and  copy-and-paste  directions,  I still  got  friend-of-a-friend
feedback  from  the  head  network  guy  of  a  mid-sized  company
complaining that  OpenBSD doesn't have any  documentation and that
it's just too hard to use.)

These people  might not  do things  the right  way, but  I'd still
rather  have them  use OpenBSD  in a  less-than-secure manner  and
benefit  from its  stability,  performance,  and (compromised  but
still  above-average) security  than  see them  go with  something
that's inferior in almost all other ways (including security, even
with the potential problems Webmin creates).

I'd   consider  recommending   leaving  it   in  but   marking  it
broken...except that  even that would  make it too hard  for these
kinds  of people  to  install  (and scare  them  off  at the  same
time). Perhaps some sort of big,  bold warning that proclaims that
the software  does things  in non-standard  and untested  ways and
that  it should  only  be  used in  transitioning  from a  Windows
background?

With proftpd, at least, OpenBSD  has a superior replacement in the
default install. For those terrified of  a shell prompt, those who
are  only  capable  of  using  the  mouse,  I'm  not  aware  of  a
replacement for Webmin.

b&

-- 
Ben Goren
 mailto:ben@trumpetpower.com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

PGP signature

Follow-Ups:
- Re: that webmin port
  - From: Dave Watson <dave@elephantride.org>

References:
- that webmin port
  - From: Marc Espie <espie@nerim.net>

Prev by Date: Fwd: ktrace
Next by Date: sparc 3.1-release build failures
Prev by thread: Re: that webmin port
Next by thread: Re: that webmin port
Index(es):
- Date
- Thread