From owner-freebsd-security Sun Feb 11 12: 1:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 904AB37B401 for ; Sun, 11 Feb 2001 12:01:25 -0800 (PST) Received: (qmail 8212 invoked by alias); 11 Feb 2001 20:01:08 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 11 Feb 2001 20:01:08 -0000 Message-ID: <004a01c09465$86506f80$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Chris Faulhaber" , "Dominic Marks" Cc: References: <20010211074201.B1396@jive.44bsd.net> Subject: Re: Secure Servers (SMTP, POP3, FTP) Date: Sun, 11 Feb 2001 15:02:12 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org the code is unauditable? last time i checked, you compiled qmail from source. In fact, Mr. Bernstein has tighter restrictions on binary distribution. "You are permitted to distribute a precompiled var-qmail package if (1) installing the package produces exactly the same /var/qmail hierarchy as a user would obtain by downloading, compiling, and installing qmail-1.03.tar.gz, fastforward-0.51.tar.gz, and dot-forward-0.71.tar.gz; (2) the package behaves correctly, i.e., the same way as normal qmail+fastforward+dot-forward installations on all other systems; and (3) the package's creator warrants that he has made a good-faith attempt to ensure that the package behaves correctly. It is not acceptable to have qmail working differently on different machines; any variation is a bug. If there's something about a system (compiler, libraries, kernel, hardware, whatever) that changes qmail's behavior, then that platform is not supported, and you are not permitted to distribute binaries. " the licence is the standard artistic rights licence which says any changes prior to redistribution must be approved but that's about it. I don't see how that scheme "stinks". IIRC, eric raymond requested all changes to fetchmail to go through him before going public (several years ago). the bottom line is, comb through the code, find a flaw, make an exploit, go to Mr. Bernstein with the documentation, and claim your prize. isn't that what "auditing" is all about? ----- Original Message ----- From: "Chris Faulhaber" To: "Dominic Marks" Cc: Sent: Sunday, February 11, 2001 7:42 AM Subject: Re: Secure Servers (SMTP, POP3, FTP) > Mail Options: > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable But the code is unauditable and the license stinks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message