[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: that webmin port

To: ports@openbsd.org
Subject: Re: that webmin port
From: Michael Knudsen <mk267673@but.auc.dk>
Date: Sun, 5 May 2002 18:04:05 +0200
Content-Disposition: inline
Mail-Followup-To: ports@openbsd.org
References: <20020504171245.A24684@tetto.liafa.jussieu.fr> <20020505170011.A12984@tetto.liafa.jussieu.fr>
User-Agent: Mutt/1.3.25i

On Sun, May 05, 2002 at 05:00:11PM +0200, Marc Espie wrote:
> It's not a question whether it's useful for borderline cases where people
> will use it on private nets where everyone is a loving bunny.
> 
> It's a question whether we have an app in our ports tree that is a
> complete security disaster, and that *will* fuck beginners thoroughly.
> 
> So, don't try convincing me webmin is useful. I don't care. I only care
> about its security.  Make it work, persuade me it can be installed
> securely, can be coerced to use ssl and not work in non-ssl mode, 
> to be made to work with apache without needing to install everything setuid, 
> and has no actual holes, and I will keep it in the tree.
> 
> If you can't, tough luck. Down the drain it goes.

That is the right thing to do -- especially for the
majority. Borderline arguments are not interinsting and should not be
considered when evaluating ports.

I _could_ do an audit, but I seem to remember that Webmin is a bunch
of Perl scripts, and I have very little experience with Perl, and less
with security audits of it, so I don't I'd come up with a useful
conclusion.

Besides, Webmin isn't really the BSD way to do things. =)

Michael.
-- 
Rumour is information distilled so finely that it can filter through
anything.
-- (Terry Pratchett, Feet of Clay)

References:
- that webmin port
  - From: Marc Espie <espie@nerim.net>
- Re: that webmin port
  - From: Marc Espie <espie@nerim.net>

Prev by Date: Re: that webmin port
Next by Date: Re: mplayer (preview)
Prev by thread: Re: that webmin port
Next by thread: Re: that webmin port
Index(es):
- Date
- Thread