Security changes - restricting uhttpd addresses

Nathan Lutchansky lutchann at litech.org
Tue Oct 25 14:56:07 PDT 2022


On 10/25/22 5:34 PM, Peter Naulls wrote:
> On 10/25/22 17:25, Reuben Dowle wrote:
>
>> The issue of HTTP listening on all interfaces also came up in my 
>> audit, but the auditors were happy with the explanation that the 
>> firewall prevented any access through the WAN interface. If the 
>> people auditing your system are only interested in security 
>> 'theatre', then that is really a poor quality/incompetent audit process.
>
> Well, I agree. For clarity, years ago I had been through reviews with 
> both
> Microsoft and Intel, with some combination of Ubuntu/OpenWrt, so had some
> expectation here. Those reviews turned up their share of nonsense, but 
> things
> have changed I guess.
>
> My hands are tied, we gotta do the dance.


I mean this as gently as possible, but I think what a lot of us are 
missing is the benefit to the OpenWrt project to carry an increased 
maintenance burden in response to your internal requirements, which you 
openly state add no value. Maybe your time is better spent fixing your 
organization's processes, rather than trying to make volunteers 
responsive to what we all agree are pointless requirements?  -Nathan




More information about the openwrt-devel mailing list