Andy Bradford wrote:
Imagine... qmail-1.03 was released over 10 years ago and none has yet to find an exploitable security hole. His code is extremely clean.
I used qmail for a while. Yes, qmail 1.03 was released 10 years ago, and has no known holes. It also is completely unusable in a modern email environment. The only way to make it usable is to apply megapatches to it that add all of the functionality you need. Once you apply the megapatches, how do you know you're secure? That was my experience as of five years ago. I stopped using qmail because it was too much of a pain to get SMTP auth working, along with the other features I needed.
What bugs me about DJB is that he releases some software, perfects it (in his mind), and then completely ignores it. qmail is great, in theory. I would love to use it, but it's too much of a pain, and I can't really trust it.
There's one other thing that bugs me. He's not serious about helping people be secure. If he was serious, he would make it easy for his software to be distributed to as many people as possible. Instead, he puts silly limitations on distribution that are primarily aimed at protecting his overly large ego. I would love to use his software, because I do like the approach he takes to security, but it's just not practical.
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
