[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: that webmin port

To: ports@openbsd.org
Subject: Re: that webmin port
From: Marc Espie <espie@nerim.net>
Date: Sun, 5 May 2002 17:00:11 +0200
Content-Disposition: inline
Mail-Followup-To: ports@openbsd.org
References: <20020504171245.A24684@tetto.liafa.jussieu.fr>
User-Agent: Mutt/1.2.5i

Cut the crap.

I asked for a *technical* opinion whether people with security skills
can look at this code, and check whether there is something salvageable
in it.

I don't care at all whether you think it might be useful.

This is not the point at hand at all.

I haven't had time to read through the code yet, only the webpage.

If no-one steps forward and actually look at the code, I will
- mark it broken,
- audit it myself.

And if I find it lacking, and no-one steps forward to fix it, it's
gone.

It's not a question whether it's useful for borderline cases where people
will use it on private nets where everyone is a loving bunny.

It's a question whether we have an app in our ports tree that is a
complete security disaster, and that *will* fuck beginners thoroughly.

So, don't try convincing me webmin is useful. I don't care. I only care
about its security.  Make it work, persuade me it can be installed
securely, can be coerced to use ssl and not work in non-ssl mode, 
to be made to work with apache without needing to install everything setuid, 
and has no actual holes, and I will keep it in the tree.

If you can't, tough luck. Down the drain it goes.

Follow-Ups:
- Re: that webmin port
  - From: "Steve Shockley" <steve.shockley@shockley.net>
- Re: that webmin port
  - From: Michael Knudsen <mk267673@but.auc.dk>
- Re: that webmin port
  - From: "Randall Augustus Alexander" <openbsd@zonedzero.net>

References:
- that webmin port
  - From: Marc Espie <espie@nerim.net>

Prev by Date: mplayer (preview)
Next by Date: Re: kde 2
Prev by thread: Re: that webmin port
Next by thread: Re: that webmin port
Index(es):
- Date
- Thread