Re: that webmin port

["Randall Augustus Alexander" <openbsd@zonedzero.net>]

I have made it work in SSL and non SSL modes a couple of versions back.
Andif your only worried about the noobs in the crowd, mark the port as
expert only due to possible security concerns and again let the noob make
the decision.  After all that very same noob as you pointed out earlier can
always go out and install it himself.

However, it seems clear that you have already made the decision to remove it
from the ports tree.  So instead of pushing peoples buttons, just remove it
and be done with it.

Randy
----- Original Message -----
From: "Marc Espie" <espie@nerim.net>
To: <ports@openbsd.org>
Sent: Sunday, May 05, 2002 8:00 AM
Subject: Re: that webmin port


> Cut the crap.
>
> I asked for a *technical* opinion whether people with security skills
> can look at this code, and check whether there is something salvageable
> in it.
>
> I don't care at all whether you think it might be useful.
>
> This is not the point at hand at all.
>
> I haven't had time to read through the code yet, only the webpage.
>
> If no-one steps forward and actually look at the code, I will
> - mark it broken,
> - audit it myself.
>
> And if I find it lacking, and no-one steps forward to fix it, it's
> gone.
>
> It's not a question whether it's useful for borderline cases where people
> will use it on private nets where everyone is a loving bunny.
>
> It's a question whether we have an app in our ports tree that is a
> complete security disaster, and that *will* fuck beginners thoroughly.
>
> So, don't try convincing me webmin is useful. I don't care. I only care
> about its security.  Make it work, persuade me it can be installed
> securely, can be coerced to use ssl and not work in non-ssl mode,
> to be made to work with apache without needing to install everything
setuid,
> and has no actual holes, and I will keep it in the tree.
>
> If you can't, tough luck. Down the drain it goes.
>