Nginx securiy problem

Steve steeeeeveee at gmx.net
Sat Dec 5 14:20:40 MSK 2009


-------- Original-Nachricht --------
> Datum: Sat, 5 Dec 2009 02:19:36 -0800
> Von: Michael Shadle <mike503 at gmail.com>
> An: nginx at nginx.org
> Betreff: Re: Nginx securiy problem

> On Sat, Dec 5, 2009 at 1:54 AM, Jean-Baptiste Quenot <jbq at caraldi.com>
> wrote:
> 
> > That sounds weird to me, rewriting Mailman in PHP.  Mailman is an
> > excellent piece of software.  If you need FastCGI support for Mailman,
> > why not hire a developer to implement that?  With the excellent python
> > flup library, this will not be a daunting task.
> 
> mailman is a pain in the ass to install,
>
Mailman is not hard to install. Normally you just execute one command from your distro and the package is installed. Configuration is another issue.


> it leaves files all over the
> system,
>
And why is that an issue? You normally don't mess with the installed files. You just edit mm_cfg.py and that's it.


> it is remnant of early 1990's software - i.e. when it began.
> 
This does not make the software automatically bad.


> i am looking for a more modern approach, ala WordPress or Drupal;
>
All fine and dandy for a web application. But mailman can run without a web server.


> upload the files, run an installer, MySQL as a backend for the user
> list, configuration details, etc.
> 
I like the approach from mailman. I can just install it and configure with a simple text file all my initial options, then just glue it together with my MTA of choice and that's it. Okay. Doing the whole user management and list management and configuration management from the command line is not the best choice but it's possible. I do use both. And to be honest: Once you have configured mailman then you don't touch the configuration in years. You just manage every thing from the web interface. So be honest: How many times have you needed to go on the server and change options in the command line for mailman after you have installed and configured it?
Probably never or rarely when you switch to a never version and/or when the new version is depending on a never Python and you need to alter some stuff in order to get the web interface up and running again. The bigger part of daily work with mailman is anyway from the web interface and the initial configuration is mostly never touched again.


> not proprietary weird command line crap you have to run to update
> options and alter certain configuration items. totally web-based,
> besides for adding the /etc/aliases lines, that's all anyone has to
> do.
> 
Oh boy. If command line is an problem for you then I ask my self how you manage to use nginx? Or things like Postfix, Dovecot, Cyrus, Courier, Sendmail, QMail, etc... Are you aiming to get those web based as well?


> while it has a long history of being the standard, the open source
> community usually has multiple forks and options out there for just
> about any type of software. oddly enough, mailman has no other options
> besides the few i was able to find after a lot of searching:
> 
> - sympa - also a pita to administer, cgi-based
> - ezmlm - doesn't look like it's been touched in years, perl-based
> - dadamail - cgi-based as well it seems
> - majordomo - doesn't look like it's been touched in years, perl-based
> - ?? - i forget the name now, but there was a commercial one at like
> $2k or something per year
> 
The good think about OSS is that you are free to invest time in making a better solution. Believe it or not. Programming is hard and takes time. A lot of time. I am involved in a big OSS software that every one wanted to fork last year and every one wanted to recode the Web UI that the software has in something more modern then Perl. Most of the user base wanted to use PHP. Now almost one year later after we have started we are still using the old interface. No one has coded one single line for the Web UI. Every one was crying last year but after we took over the development all those that where crying out loud are gone. It's funny.

So your comments about recoding mailman to use PHP somehow remembers me about the project that I am involved. I absolutely understand your desire for the change but I would bet my last dollar on it that you will not any time soon redo mailman in PHP. Not without investing a substantial amount of your normal day time. I want to see the person that is going to sit down months and months doing the Web UI for mailman in PHP. Take the time and look at the code of mailman and analyze it. You will soon realize that doing the Web UI in PHP is going to be a HUGE task. A task that you can't just easily do in a bunch of days or weeks after you have come home from work. It's going to use MONTHS of work. A lot of work.

Most people think that it's easy done but it's not. It is time intensive to code. And if you code for the masses then you will face problems that you have not imagined in your wildest dreams that they could exist. And fixing those issues are going to take time. I once had weeks to fix an issue on Mac OS X that users had. I had those bug reports and reading them just did not make sense to me. But Mac OS X users where reporting them. So I could not ignore them. And for fixing you need to find some one allowing you to access his Mac and you need time to understand what is going on. If you are not familiar with the platform then this as well is going to take time. And before you even have started to understand... bam! 2 weeks of time gone. Just like that. For a small (but important) bug. And it's with all things like that. You think everything is going to be easy and fast but it's not. Things take a lot of time. And I don't know many private persons wanting to commit that much time after work for doing coding on OSS projects.

Don't get me wrong. If you redo mailman in PHP and make it sexy, fast, AJAX GUI, etc... I am sure going to use it. But I my self would not invest time in doing that. Mailman just works and I don't see any significant benefit in having it in PHP and using a super duper Web UI. It would probably look nicer but it would not reduce my list management time by factors. Maybe today I have about 1 to 15 minutes that I need for managing the hand full of lists that I do manage. And I don't think a modern Web UI for mailman would reduce that.


> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx

-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01



More information about the nginx mailing list