[RFC] Discontinuing SWAT
obnox at samba.org
Fri Apr 26 09:27:26 MDT 2013
On 2013-04-26 at 16:38 +1000, Andrew Bartlett wrote:
> On Fri, 2013-04-26 at 08:04 +0200, Jelmer Vernooij wrote:
> > On Thu, Apr 25, 2013 at 11:48:51PM +0200, Kai Blin wrote:
> > > I think it's time to put SWAT out of its misery. In the past few years,
> > > the only commits ever touching it were either API housekeeping or fixing
> > > remote root exploit security issues.
> > >
> > > The last time we had to do the latter, I accidentally broke password
> > > changes for users, and neither me nor any of the people reviewing the
> > > changes noticed. I take that as a sign that nobody is really interested
> > > in maintaining SWAT, and I think it is becoming a larger liability over
> > > time. Considering how large of an attack surface a web app is offering,
> > > we should not have one of them in our core release.
> > >
> > > There might be the need for a web-based samba configuration tool, but I
> > > don't think SWAT is fulfilling that need well enough.
> > +1
> > Despite the concern that's been expressed about the status of SWAT a couple of
> > times over the last couple of years, nothing has really happened. It's
> > better to remove it than to let it simmer in its current unusable state.
> > If we want to have a web interface, then I suspect it would be easier to build
> > something new from the grounds up than to update the current SWAT anyway.
> Exactly. I did the same as Kai, and wanted to be all consultative about
> this, but thinking over this again, we need to just notify: There is no
> active maintainer of the the SWAT code, and regular security issues as
> folks put the blowtorch of modern web security to 15 or more year old
> web code. Therefore, we have no option but to drop it.
I am strongly in favour of dropping SWAT.
I don't need to add any arguments. :-)
Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 206 bytes
Desc: Digital signature
More information about the samba-technical