The List has returned!

Garrett Goebel garrett at scriptpro.com
Thu Jul 31 20:43:24 CDT 2003 

Frank Wiles wrote:
> Garrett Goebel <garrett at scriptpro.com> wrote:
> > Gerald Combs wrote:
> > > On Thu, 31 Jul 2003, Frank Wiles wrote:
> > > >
> > > > honestly how many Sendmail specific security
> > > > holes have there been in the last year?
> > >
> > > According to cve.mitre.org, there have been several:
> > >   http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sendmail
> >
> > And how many in qmail? Zero.
> >
> > While his own license is fairly open (more open than
> > Netscape's was when RedHat was distributing its binaries)...
> > its pretty obvious DJB has something against gnu and open
> > source licenses. I wonder what it is? Loss of control over
> > _his_ code? Does anyone know of anything he's written
> > directly on this point?
> >
> > Compile from source distributions like Gentoo are practically
> > unrestricted by DJB's licensing terms. He does explicitly
> > allow you to download and compile his source. And makes
> > explicit your rights to do whatever you want with it
> > thereafter (http://cr.yp.to/softwarelaw.html). As far as
> > I've read, he just won't allow modified binaries.
> >
> > It just seems kind of sad that you wind up with multiple
> > series of patches against qmail... like some throw-back to
> > minix. That will take you only so far.
>
> I tire of this argument quickly, so this will probably be my
> last contribution to this thread.

Let me buy you a cup of coffee then... Its hardly sporting to "tire" at the
initial responses to the security issues you raised.


> Yes you are right qmail has had zero.  Personally, I do not see
> that as a reason to switch.

Your prerogative. Sendmail has a track record of security flaws. Qmail does
not. An "old argument" as you put it. Its widely accepted that it is a
Herculean task to graft security into code that wasn't architected or
implemented with it in mind. I don't foresee Sendmail security issues as
ever becoming a permanent thing of the past.

I for one like that qmail is simple, small, and fairly straight forward to
configure. The learning curve for me was much steeper on Sendmail. But of
course, qmail's learning curve is no reason to "switch" if you already know
sendmail. Then again, who knows Sendmail? Fairly unscientific, but using the
page lengths of the definitive books: 3rd edition O'Reilly Sendmail is what?
1200+ pages whereas "Life with Qmail" is <500.

Here's an alternative fairly balanced opinion on the major MTA's:
http://shearer.org/en/writing/mtacomparison.html


>   Yes the ability to distributed modified binaries is a small one,
>   but like I said I don't like his license because it is not Open
>   Source.

Your prerogative. And to some extent I agree. I'd like it better if it were
open source. Not like the eventual guarantee of bit-rot that DJB offers. But
I like the product, and his license allows me to use it. So I do.

I'd still like to know what DJB's rationalization against open source
licenses is...

--
Garrett Goebel
IS Development Specialist

ScriptPro                   Direct: 913.403.5261
5828 Reeds Road               Main: 913.384.1008
Mission, KS 66202              Fax: 913.384.2180
www.scriptpro.com          garrett at scriptpro.com

More information about the Kclug mailing list