Re: that webmin port

["Steve Shockley" <steve.shockley@shockley.net>]

> It's a question whether we have an app in our ports tree that is a
> complete security disaster, and that *will* fuck beginners thoroughly.

Aside from security, I don't think the current version of the port belongs
in the ports tree because a) you can't build a package, b) it's easier to
install from the distribution than it is from the port, and c) when
installed the port runs from inside the ports tree.  One of the primary
reasons I use ports/packages is a), because of dependencies and so I can
uninstall it cleanly.  Shoot, when I install test software I create a quick
package so I can keep track of what I'm doing.

> So, don't try convincing me webmin is useful. I don't care. I only care
> about its security.  Make it work, persuade me it can be installed
> securely, can be coerced to use ssl and not work in non-ssl mode,
> to be made to work with apache without needing to install everything
setuid,
> and has no actual holes, and I will keep it in the tree.

I was hacking at a port of Webmin that I forced to use ssl and even
generated a self-signed certificate as part of the install instead of using
the one that comes with Webmin.  I gave up on it because the install was
disk-intensive and my test machine at the time had slow disks, but I'd pick
it up again if there was interest.  I'm not familiar with identifying Perl
security holes, so I'd need some help with that.