[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: that webmin port
- To: ports_(_at_)_openbsd_(_dot_)_org
- Subject: Re: that webmin port
- From: Jolan Luff <jolan_(_at_)_encryptedemail_(_dot_)_net>
- Date: Sat, 4 May 2002 21:05:16 -0500 (CDT)
swat is a small and optional part of samba which generates a samba
configuration file. if samba required swat to be running at all times,
then your comparison would have a bit more weight.
i use pf to limit access to my ftp server (proftpd), but it was still
rejected by espie as a port. i bitched and moaned and then shut up
because i realized how stupid i was being. if your favorite software
isn't in the ports, then install it manually.
ports is not for the experienced and responsible openbsd user, it's for
for every person such as yourself who is comfortable using software with
a spotty security history and restricting access, there are five users
who have no idea what the potential risks are or don't take them
ports is not a democracy, it's a dictatorship. the ports maintainers
strive to keep bad software out, and good software up-to-date and
maintained. yes, there's bias. if you take a step back, you'll realize
that the maintainers are looking out for you, and have your best
interests (security and quality software) at heart.
On Sat, 4 May 2002, Randall Augustus Alexander wrote:
> I use Webmin on all my OpenBSD servers. To limit the exposure to only my
> internal network, I simply use the security options in Webmin and PF to
> control what IPs can access Webmin. OpenBSD may have a lot going for it in
> the relm of security, but it is a simple matter to misconfigure OpenBSD and
> make it "insecure".
> There are legitimate and safe ways to use Webmin. Let the user decide what
> is right for them. By your logic, we should also dump a lot of the other
> ports including Samba which includes SWAT.
> ----- Original Message -----
> From: "Dave Watson" <dave_(_at_)_elephantride_(_dot_)_org>
> To: "Ben Goren" <ben_(_at_)_trumpetpower_(_dot_)_com>
> Cc: <ports_(_at_)_openbsd_(_dot_)_org>
> Sent: Saturday, May 04, 2002 10:14 AM
> Subject: Re: that webmin port
> > --Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com> [020504 16:17]:
> > > On Sat, May 04, 2002 at 05:12:46PM +0200, Marc Espie wrote:
> > >
> > > > Being curious, I looked at this last port that is left
> > > > interactive in our tree.
> > > >
> > > > I'd like some other security conscious people to look at this.
> > > >
> > > > From what I've seen on the webmin homepage, I'm highly
> > > > pessimistic. It looks like the guys who wrote this have
> > > > absolutely no clue about security.
> > > >
> > > > e.g., this seems to me to be worse than proftpd. and not
> > > > belonging in our ports tree at all.
> > >
> > > These people might not do things the right way, but I'd still
> > > rather have them use OpenBSD in a less-than-secure manner and
> > > benefit from its stability, performance, and (compromised but
> > > still above-average) security than see them go with something
> > > that's inferior in almost all other ways (including security, even
> > > with the potential problems Webmin creates).
> > Less-than-secure is insecure.
> > I think it should be removed. If someone wants a less-than-secure
> > machine they should probably use something other than OpenBSD, or
> > download and install webmin themselves. I have doubts that anyone will
> > decide to use OpenBSD simply because webmin is in the ports tree.
> > --
> > Dave Watson