[linux-elitists] DJB ruckus du jour

Rick Moen rick@linuxmafia.com
Wed Nov 13 17:03:06 PST 2002

Quoting Wayne Earl (wayne@qconcepts.net):

> Having been on both sides of the DJB software issue, the debate has
> always struck me as being mostly a conflict of prevailing values:

Well, it's _also_ over intellectual honesty, something you did not
mention.  I got tired of seeing this sort of scheiss bandied about in
front of the gullible:

o  Implying through strategic omission that BIND9 is tainted by BIND8
   security problems, when the speaker knows perfectly well that the
   former was a from-scratch rewrite to jettison a hopeless codebase.
o  Attempting to mislead everyone into thinking that clearly proprietary
   projects are open source, instead of saying "Here are the terms.
   Use the code or don't."
o  Almost never being willing to compare Qmail against Postfix, only
   against Sendmail because the latter is a more-facile target, and
   because the speaker is attempting to rope-in admins too wet behind
   the ears to have heard of anything _but_ Sendmail, before they've
   tried and adopted those other options (Postfix, Courier, or even Exim).
o  Attempting to dismiss licence analyses without addressing them, by 
   claiming merely that proprietary DJBware "doesn't have a licence", 
   when the speakers are fully aware that it has the _default_ licence 
   that is implicit in copyright law unless explicitly overriden, which 
   licence happens to be proprietary in nature.

If the DJBware camp were to cease trying to shade the truth, actively
mislead the unwary, and play disreputable rhetoric games, they wouldn't
encounter such hostility -- when in truth they have some valuable
lessons to offer (see below).

> DJB has the almost singular distinction of writing major software
> packages, widely deployed, with ZERO security holes.

In _part_ through modular design, attention to trust relationships,
eschewing featuritis, careful coding to prevent buffer overflows, and
other worthwhile practices.  However, in part, it has also been through
omitting needed functionality, requiring you to retrofit it through
either third-party patches or ancillary software.

I mean, wow!  djbdns has never had any security flaws in its outbound
AXFR or IXFR/TSIG code.  That's great!  Except, wait:  djbdns doesn't
_do_ any of those things, and instead Bernstein suggests that, if you 
absolutely insist on having offsite backup nameservice (which he claims
is pointless) that you do so using file-replication tools such as rsync
over ssh, or using scp.  

Cool!  Well, I'm glad we've been saved from any security problems.  I
mean, it's lucky that there's never been the _least_ security flaw in
OpenSSH or OpenSSL, right?

Or:  You deploy qmail.  Oops, you encounter a security problem.  You
complain about it on the qmail mailing list.  Oh, I'm sorry, you failed
to understand the rules of the game:  Since you expected qmail to
actually _do_ something useful, you applied some of the huge number of
third-party patches that exist to supply missing functionality.  You
unfortunately thereby deprived yourself of the DJB Seal of Absolute
Perfection<tm>.  Silly boy.  You Have Lost.

A large part of the reason why its author created the Courier MTA was
that he was a Qmail admirer, generally, but got sick to death of having
to deluge it with third-party, unsupported (and never regression-tested) 
hacks in order to make it actually _do_ things.  See:

> People choose to use software for a variety of reasons. If you don't
> like the license, don't use the code. Real freedom means the freedom
> to choose, based on the premises and reasons that make sence to you. 

Absolutely.  And all I ask is honesty about that licensing from the
DJBware camp.  Which is conspicuously lacking.

> As an aside, I find it ironic that for all the trashing people do to
> DJB for his software being "non-free", his legal case with the EFF has
> the potential to do MORE for real freedom than any OSI license ever has.

Speaking just for myself, I never trash his software for being non-free;
I just say it's one of several reasons I elect not to use it.  And I
very prominently praise Prof. Bernstein for the Bernstein v. US DoJ
lawsuit, frequently.

Cheers,                     Errors have been made.  Others will be blamed.
Rick Moen

More information about the linux-elitists mailing list