Thus spake Mate Wierdl ([EMAIL PROTECTED]):
> Indeed, it would be interesting what kind of testing he is running on
> qmail, say (he says there are over 100 tests), and how he is trying to
> make sure his software is secure. Perhaps his closed to the public
> cryptography course notes would give a hint.
Mate, what kind of problem do you have?
What does qmail have to do with cryptography?
Do you need a break? Maybe you should go on vacation for a few weeks.
Please have a look at the qmail architecture and show me, even if there
were buffer overflow in qmail-smtpd, how you would do harm to the
system. Please have a look with what privileges the different
components run.
> In any case, Dan's auditing his own software does not mean much in
> this context.
Nobody's audit means much.
If the Gartner Group came and declared that they had spent $250 billion
on auditing qmail for two years and found it to be secure, would that
mean anything? No, of course not.
Software security auditing does not work that way.
Software is secure iff the architecture and trust model is sound, which
you can verify yourself in a few hours. Other concerns like technical
errors in the implementation are much less important. And there has not
even been one of those in the last years.
> Can we say with confidence that now Postfix is secure just because the
> last security problem it had was 2 years ago?
Who cares if Postfix is secure?
Postfix has several times the size of qmail and there have been several
catastrophic errors in the past that could cause mail loss. Nothing the
Postfix authors do can restore trust in this software.
Again, I beg of you: Don't talk. Do.
Felix
