Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Qmail: users

"Some thoughts on security after ten years of qmail 1.0"

  

 
Qmail users RSS feed   Index | Next | Previous | View Threaded


eperea at walkereng

Nov 2, 2007, 6:12 AM

Post #1 of 14 (1559 views)
Permalink
"Some thoughts on security after ten years of qmail 1.0"
I just noticed Dan has a new paper on qmail and security:

http://cr.yp.to/qmail/qmailsec-20071101.pdf


xenophage0 at gmail

Nov 2, 2007, 8:18 AM

Post #2 of 14 (1530 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
On 11/2/07, Emilio Perea <eperea[at]walkereng.com> wrote:
> I just noticed Dan has a new paper on qmail and security:
>
> http://cr.yp.to/qmail/qmailsec-20071101.pdf

This is a pretty good paper on security. It's not going to change the
qmail world, but if you are interested in security as it relates to
programming, it's definitely a good read.

His thoughts and ideas regarding trusted code bases are certainly not
new, but he does explain them quite well. I'm interested to see if he
does, in fact, release a qmail 2.0 with more of these techniques
employed.

Also of note, he has raised the bounty for security holes in qmail to $1,000.

--
Jason 'XenoPhage' Frisvold
XenoPhage0[at]gmail.com
http://blog.godshell.com


seth at cql

Nov 2, 2007, 9:17 AM

Post #3 of 14 (1519 views)
Permalink
RE: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
Also of note, he has raised the bounty for security holes in qmail to
$1,000.

That's still well below the rate of inflation. :)



Seth Kurtzberg
Software Engineer
Specializing in Security, Reliability, and the Hardware/Software Interface




--
Jason 'XenoPhage' Frisvold
XenoPhage0[at]gmail.com
http://blog.godshell.com


dashley at gmail

Nov 2, 2007, 9:21 AM

Post #4 of 14 (1527 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
On 11/2/07, Jason Frisvold <xenophage0[at]gmail.com> wrote:
>
> On 11/2/07, Emilio Perea <eperea[at]walkereng.com> wrote:
> > I just noticed Dan has a new paper on qmail and security:
> >
> > http://cr.yp.to/qmail/qmailsec-20071101.pdf
>
> This is a pretty good paper on security.


Actually, I find the paper ... of no value except to help DJB compose his
thoughts.

First ...

let's not get confused about why qmail has no known security holes--because
it was written by a _single_ individual with a mathematical background and
an IQ in the stratosphere. DJB is _very_ intelligent (meaning he can keep
the design of the entire product in his head), and has a mathematical
background (meaning that he understands OS mechanisms, filesystems,
efficiency issues, etc.). There is the old saying that "no product of
lasting value has been designed by a team of more than 3 people" (hope I
didn't butcher that quote too badly).

Why are most products less secure? Simple ... they were written by too many
people, each with too low an IQ. It is just that simple. An abundance of
people leads to interface cohesiveness issues. Each of the people being not
smart enough leads to unforeseen execution scenarios.

Second ...

DJB needs to pursue research in software engineering and not write papers
directly or indirectly about software quality until he has done this. Most
of the paper seems to be DJB rediscovering ideas (and stating them badly)
that were known by the software engineering community no later than 1990.
This is a crude rehash of known ideas.

Dave.


joyce.hopewell at gmail

Nov 2, 2007, 1:29 PM

Post #5 of 14 (1522 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
Emilio Perea wrote:
> I just noticed Dan has a new paper on qmail and security:
>
> http://cr.yp.to/qmail/qmailsec-20071101.pdf

It's astounding how useless that 'paper' is. It's nothing more that a
self-aggrandizing plea to the Internet at large to not forget that DJB still
actually exists.

Here's how I see it. qmail has its place, sure. However, it has not kept
pace with the rest of the Internet. It's an anachronism. To get your qmail
platform to use any sort of modern e-mail capabilities (greylisting, spf,
dkim, etc) you have to apply a mountain of patches, piped scrips, helper
programs ... it turns into a giant uncontrollable mess very quickly.

Yes, qmail is fast. Yes, it's arguably more secure than sendmail (altho, if I
recall correctly, DJB has welched on his $500 bet in the past. The 32/64 bit
controversy, wasn't that?). However, by forcing users to jump through a
thousand hoops to add functionality, it stops being secure or fast, or
reliable. So, either you have a marginalized stock qmail install, or an
unwieldly shoehorned qmail install. Either option is very unappealing.

I really think this paper is nothing more than an attention grabber. A
desperate attempt to say, "I still exist!". But honestly, qmail has way too
many shortcomings to be a serious contender in any modern datacenter anymore.

I've worked with qmail for a long time. I know it very well. I know you can
add any sort of support for it with patches or pipelines or proxies. But I
only use it because I have to support legacy installs. I refuse to use it for
any new installations, or any personal platforms.

Face it, qmail is abandonware. Will there ever be a qmail2? I really don't
care. There are other packages available that give me the functionality I
want now, not years from now.

And for heaven's sake, I'm sick to death of the whole errno fiasco. The world
moved on. Face up to the facts, just rewrite the header files already, and
release qmail-1.03.1. At least then we could pretend qmail was still relevant.


nelson at crynwr

Nov 3, 2007, 1:23 PM

Post #6 of 14 (1508 views)
Permalink
RE: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
Seth Kurtzberg writes:
> Also of note, he has raised the bounty for security holes in qmail to
> $1,000.
>
> That's still well below the rate of inflation. :)

Errr, no. $500 in 1997 has the same buying power as $649.50 in 2007.
So he didn't "double" the county, he half-again'ed it.

http://data.bls.gov/cgi-bin/cpicalc.pl

--
--my blog is at http://blog.russnelson.com | People have strong opinions
Crynwr sells support for free software | PGPok | about economics even though
521 Pleasant Valley Rd. | +1 315-323-1241 | they've never studied it.
Potsdam, NY 13676-3213 | Sheepdog | Curious how that is!


matthew at dempsky

Nov 3, 2007, 9:10 PM

Post #7 of 14 (1510 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
On 11/2/07, Joyce Hopewell <joyce.hopewell[at]gmail.com> wrote:
> It's astounding how useless that 'paper' is. It's nothing more that a
> self-aggrandizing plea to the Internet at large to not forget that DJB still
> actually exists.

It is no such thing. It was an invited paper to a conference on
computer security architecture. The core of the paper examines how
qmail achieves the same core functionality as sendmail without
resulting in any security holes. It also reviews how effective the
different techniques employed while designing and implementing qmail.

Why are you on this mailing list anyways?


netbeans at gatworks

Nov 3, 2007, 11:47 PM

Post #8 of 14 (1512 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
> Errr, no. $500 in 1997 has the same buying power as $649.50 in 2007.
> So he didn't "double" the county, he half-again'ed it.

say that to a tank of gas. :-{


werner at yellowcouch

Nov 4, 2007, 1:14 AM

Post #9 of 14 (1510 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
On Sunday 04 November 2007 05:10:07 Matthew Dempsky wrote:
> On 11/2/07, Joyce Hopewell <joyce.hopewell[at]gmail.com> wrote:
> > It's astounding how useless that 'paper' is. It's nothing more that a
> > self-aggrandizing plea to the Internet at large to not forget that DJB
> > still actually exists.

To me it sounded more like a reminder to investigate programming and software
engineering techniques. That most scientific papers are somewhat self
promoting is nothing new, however this one seems fairly balanced. I guess
your field of expertise must be security ?

Wkr,

Werner,-


felix at crowfix

Nov 4, 2007, 3:25 PM

Post #10 of 14 (1503 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
On Sat, Nov 03, 2007 at 09:10:07PM -0700, Matthew Dempsky wrote:
> On 11/2/07, Joyce Hopewell <joyce.hopewell[at]gmail.com> wrote:
> > It's astounding how useless that 'paper' is. It's nothing more that a
> > self-aggrandizing plea to the Internet at large to not forget that DJB still
> > actually exists.
>
> Why are you on this mailing list anyways?

He answered that in the very email you quoted:

> But I only use it because I have to support legacy installs.

Maybe you need to get down off your high horse and pay attention to
what you read. The well-known qmail fanatics' tendency to lash out at
any perceived insult is well illustrated by your response.

The Model T was an amazing car for its day in its simplicity and cost,
but time moves on, unlike either the Model T or qmail. The Model T
was in production for 20 years, and no doubt qmail will continue to be
installed at least as long. But the alternatives didn't wait for the
Model T to forge ahead, and the qmail alternatives won't wait either.

--
... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & rocket surgeon / felix[at]crowfix.com
GPG = E987 4493 C860 246C 3B1E 6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o


nelson at crynwr

Nov 4, 2007, 4:43 PM

Post #11 of 14 (1502 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
U. George writes:
> > Errr, no. $500 in 1997 has the same buying power as $649.50 in 2007.
> > So he didn't "double" the county, he half-again'ed it.
>
> say that to a tank of gas. :-{

Inflation is a function of the supply of money, not prices. See?
||||
-- vvvv
--my blog is at http://blog.russnelson.com | People have strong opinions
Crynwr sells support for free software | PGPok | about economics even though
521 Pleasant Valley Rd. | +1 315-323-1241 | they've never studied it.
Potsdam, NY 13676-3213 | Sheepdog | Curious how that is!


netbeans at gatworks

Nov 4, 2007, 7:56 PM

Post #12 of 14 (1506 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
$500 of gas in 1997 will now cost more than $1000 in 2007 *OR* $100 of
gas will now get me to the washington beltway, whereas it once got me
all the way to Albemarle, NC just a few years before. :{ A 50% loss in
travel power :-{

So, apparently it is a function of whatever u want it to mean ( or be )
. For me its the price differential of before, and now. Like the
Consumer Price Index, or the cost of a predefined set of groceries.

Sorta like the definition of what a BUG is, of which I find :))))))

Russ Nelson wrote:
> U. George writes:
> > > Errr, no. $500 in 1997 has the same buying power as $649.50 in 2007.
> > > So he didn't "double" the county, he half-again'ed it.
> >
> > say that to a tank of gas. :-{
>
> Inflation is a function of the supply of money, not prices. See?


teklimbu at wlink

Nov 5, 2007, 7:31 AM

Post #13 of 14 (1487 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
Emilio Perea wrote:
> I just noticed Dan has a new paper on qmail and security:
>
> http://cr.yp.to/qmail/qmailsec-20071101.pdf
>
>
>

I hardly understand 20% of the material discussed in the paper since I
am not really an expert on Security.

Is there a remote possibility of Qmail being released as an open-source
software by D. J. Bernstein?


--

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

System Administrator

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np

http://teklimbu.wordpress.com


nelson at crynwr

Nov 5, 2007, 8:36 PM

Post #14 of 14 (1485 views)
Permalink
Re: "Some thoughts on security after ten years of qmail 1.0" [In reply to]
Tek Bahadur Limbu writes:
> Is there a remote possibility of Qmail being released as an open-source
> software by D. J. Bernstein?

100% probability. But I wouldn't act on that information until I saw
that http://cr.yp.to/qmail/dist.html had been changed.

--
--my blog is at http://blog.russnelson.com | People have strong opinions
Crynwr sells support for free software | PGPok | about economics even though
521 Pleasant Valley Rd. | +1 315-323-1241 | they've never studied it.
Potsdam, NY 13676-3213 | Sheepdog | Curious how that is!

Qmail users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.