On Tue, Jan 05, 1999 at 01:38:01PM +0800, [EMAIL PROTECTED] wrote:
> (Personally I'm not terribly interested in whether or not changes
> are made to qmail, because these are easy to hack in, but I am
> interested in Dan's thinking.)
I'm interested as well. There is already one possible fix to a
potential resourse starvation attack on qmail. The discussion has
been going on for about 2 days now.
If BlueBall Unix's Friday Night SysV release had qmail bundled as a
binary package and were at this point prevented from making this
change to qmail-queue, let's consider this a benchmark for how long it
takes djb to address a real or perceived (perceived by its userbase)
threat to qmail's security. Unlike wietse's prior remote DoS attacks,
this one is targeted directly at a piece of qmail, and only qmail.
So how long would BlueBall Unix have to wait around before they could
release a binary? Because until then local users at sites using their
unix can clog their mail spools anonymously, and mail will not flow.
How long until the real-world as-yet-unnamed OEM that is using qmail
gets to upgrade their users?
-Peter