[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why were all DJB's ports removed? No more qmail?



On 28 Aug 2001, D. J. Bernstein wrote:

> http://cr.yp.to/maildisasters/postfix.html simply reports the facts.
> Some of the facts are continuing events: the Postfix author never
>
>    * posted an alert about this security problem, or
>    * apologized for exposing his users to selective mail destruction, or
>    * apologized for his false and misleading statements, or
>    * took responsibility for his mistakes, or
>    * offered cash rewards for security holes.
>
> All of these remain true. If they ever change, I'm sure the Postfix
> author will let me know, and I'll update the page accordingly.
>
> Postfix proponents who claim that my page is ``out of date'' are really
> trying to say that users should ignore the historical facts. This is a
> common argument from people who don't really care about security. If
> you've been fooled into using Sendmail, for example, and you're now
> asking crucial questions such as
>
>    How exactly did OpenBSD ``audit'' Sendmail? How did this latest
>    security hole slip past the ``audit''? What structures and procedures
>    could have been put into place to prevent this disaster? For example,
>    shouldn't large setuid programs be banned?
>
> you'll get non-answers like ``I can't believe you're attacking OpenBSD''
> or ``Don't worry about it! The bug is fixed now. OpenBSD is secure!''

``Why are you changing the subject?''

one holy war at a time, man!

-vedge