[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: that webmin port



swat is a small and optional part of samba which generates a samba
configuration file. if samba required swat to be running at all times,
then your comparison would have a bit more weight.

i use pf to limit access to my ftp server (proftpd), but it was still
rejected by espie as a port. i bitched and moaned and then shut up
because i realized how stupid i was being. if your favorite software
isn't in the ports, then install it manually.

ports is not for the experienced and responsible openbsd user, it's for
all users.

for every person such as yourself who is comfortable using software with
a spotty security history and restricting access, there are five users
who have no idea what the potential risks are or don't take them
seriously.

ports is not a democracy, it's a dictatorship. the ports maintainers
strive to keep bad software out, and good software up-to-date and
maintained. yes, there's bias. if you take a step back, you'll realize
that the maintainers are looking out for you, and have your best
interests (security and quality software) at heart.

-jolan


On Sat, 4 May 2002, Randall Augustus Alexander wrote:

> I use Webmin on all my OpenBSD servers.  To limit the exposure to only my
> internal network, I simply use the security options in Webmin and PF to
> control what IPs can access Webmin.  OpenBSD may have a lot going for it in
> the relm of security, but it is a simple matter to misconfigure OpenBSD and
> make it "insecure".
>
>
> There are legitimate and safe ways to use Webmin.  Let the user decide what
> is right for them.  By your logic, we should also dump a lot of the other
> ports including Samba which includes SWAT.
>
>
> Randall
>
> ----- Original Message -----
> From: "Dave Watson" <dave_(_at_)_elephantride_(_dot_)_org>
> To: "Ben Goren" <ben_(_at_)_trumpetpower_(_dot_)_com>
> Cc: <ports_(_at_)_openbsd_(_dot_)_org>
> Sent: Saturday, May 04, 2002 10:14 AM
> Subject: Re: that webmin port
>
>
> > --Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com> [020504 16:17]:
> > > On Sat, May 04, 2002 at 05:12:46PM +0200, Marc Espie wrote:
> > >
> > > > Being  curious,  I  looked  at  this  last  port  that  is  left
> > > > interactive in our tree.
> > > >
> > > > I'd like some other security conscious people to look at this.
> > > >
> > > > From  what  I've  seen  on   the  webmin  homepage,  I'm  highly
> > > > pessimistic.   It  looks  like  the guys  who  wrote  this  have
> > > > absolutely no clue about security.
> > > >
> > > > e.g.,  this seems  to  me  to be  worse  than  proftpd. and  not
> > > > belonging in our ports tree at all.
> > >
> > > These people  might not  do things  the right  way, but  I'd still
> > > rather  have them  use OpenBSD  in a  less-than-secure manner  and
> > > benefit  from its  stability,  performance,  and (compromised  but
> > > still  above-average) security  than  see them  go with  something
> > > that's inferior in almost all other ways (including security, even
> > > with the potential problems Webmin creates).
> >
> > Less-than-secure is insecure.
> >
> > I think it should be removed.  If someone wants a less-than-secure
> > machine they should probably use something other than OpenBSD, or
> > download and install webmin themselves.  I have doubts that anyone will
> > decide to use OpenBSD simply because webmin is in the ports tree.
> >
> > --
> > Dave Watson
> >
>
>



Visit your host, monkey.org