From owner-freebsd-security Mon Feb 12 19:17:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 63E1237B491 for ; Mon, 12 Feb 2001 19:17:03 -0800 (PST) Received: (qmail 26768 invoked by uid 0); 13 Feb 2001 03:17:02 -0000 Received: from pd9508852.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.82) by mail.gmx.net (mail10) with SMTP; 13 Feb 2001 03:17:02 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA10834 for freebsd-security@FreeBSD.ORG; Mon, 12 Feb 2001 22:43:21 +0100 Date: Mon, 12 Feb 2001 22:43:21 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010212224320.G26500@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20010211074201.B1396@jive.44bsd.net> <004a01c09465$86506f80$1e9e6389@137.99.156.23> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from des@ofug.org on Mon, Feb 12, 2001 at 08:40:04PM +0100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ disclaimer: IANAL, but an interested user of djb-software ] On Mon, Feb 12, 2001 at 20:40 +0100, Dag-Erling Smorgrav wrote: > > 1) Mr Bernstein has also threatened to sue anyone who dared claim that > his code was insecure. Not the best of incentives. This statement was mentioned several times in recent threads. Is there any reference? Up to now I failed to see the evil in DJB's actions (code readability aside -- I've been there myself and know how long it takes to identify the spot to put your extension into while doing it is mostly a snap; and yes it's not everybodies thing that djb wants to warrant for his software only when it's implemented the way he designed it to). Reading the documentation coming with djb-software I only see points FreeBSD claims in similar ways like "we simply _cannot_ operate reliably on broken hardware" (djb: the underlying OS and the libs linked against), "don't refer to it as a FreeBSD problem when a port has a bug" (djb: third party patches are not _my_ software, their bugs aren't mine) and "saturating your uplink doesn't prove design failures in our network stack" (djb: DoSing doesn't qualify as a security breach). What am I doing wrong when I feel the missing "and proving it" in the above "claim of insecure code" is what makes him sue somebody? I still read the "all claims and discussions get published here" as an invitation to _prove_ his software wrong, while it just didn't happen yet. Has anyone heard or read otherwise? BTW: What does the FreeBSD team do against unsubstanciated(sp?) claims like those of the (misguided and probably not even understanding the system used by himself) OpenBSD freak posted here and in other public lists lately? Looking at the webpage (antioffline? anitonline? admittedly deleted the URL quickly after looking at it, but it's in the archive) it's a really badly copied and mangled FreeBSD index.html with a whole lot of sick accusations and made to look *exactly* like the original page (including all the links into the original FreeBSD site -- just like it would be an integral part of it!). Would you like to have this pass by unanswered? And do you expect to be called arrogant, obscuring or threatening when you take action against things like these? I would be quite astonished ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message