Date: 12 Feb 2001 20:40:04 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: "Peter C. Lai" <sirmoo@cowbert.2y.net> Cc: "Chris Faulhaber" <jedgar@fxp.org>, "Dominic Marks" <dominic_marks@hotmail.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <xzpu25zpu5n.fsf@flood.ping.uio.no> In-Reply-To: "Peter C. Lai"'s message of "Sun, 11 Feb 2001 15:02:12 -0500" References: <F55PFTg4bPYkAOt67zL00011da9@hotmail.com> <20010211074201.B1396@jive.44bsd.net> <004a01c09465$86506f80$1e9e6389@137.99.156.23>
next in thread | previous in thread | raw e-mail | index | archive | help
"Peter C. Lai" <sirmoo@cowbert.2y.net> writes: > the bottom line is, comb through the code, find a flaw, make an exploit, go > to Mr. Bernstein with the documentation, and claim your <insert current > assigned monetary value> prize. isn't that what "auditing" is all about? No. 1) Mr Bernstein has also threatened to sue anyone who dared claim that his code was insecure. Not the best of incentives. 2) Take it from one who has actually needed to make non-trivial modifications to qmail: the code is very hard to read (if not unreadable), and in one case I found it easier to just rewrite the entire program than try to figure out how Bernstein's version was put together. Unreadable code is not easily unauditable. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpu25zpu5n.fsf>