[linux-elitists] DJB ruckus du jour

Wayne Earl wayne@qconcepts.net
Wed Nov 13 17:24:55 PST 2002


On Wed, Nov 13, 2002 at 05:03:06PM -0800 or therabouts, Rick Moen wrote:
> Well, it's _also_ over intellectual honesty, something you did not
> mention.  I got tired of seeing this sort of scheiss bandied about in
> front of the gullible:

I definately see this point. In fact, of all the rumblings against
djb's work, yours seems to be one of the few based on logic. My point
wasn't to support or refute either "side" - it was to point out that,
imo, most of the arguments come from different points of view.

> > DJB has the almost singular distinction of writing major software
> > packages, widely deployed, with ZERO security holes.
> 
> In _part_ through modular design, attention to trust relationships,
> eschewing featuritis, careful coding to prevent buffer overflows, and
> other worthwhile practices.  However, in part, it has also been through
> omitting needed functionality, requiring you to retrofit it through
> either third-party patches or ancillary software.

The third option is simply to use other software. I dropped publicfile
in favor of vsftpd a while ago for this reason - I needed a feature
that publicfile didn't support, and I didn't want to patch the source
to get it to do what I wanted. At the same time, I wanted a secure
ftpd. vsftpd fit this nicely.

> Cool!  Well, I'm glad we've been saved from any security problems.  I
> mean, it's lucky that there's never been the _least_ security flaw in
> OpenSSH or OpenSSL, right?

Heh. At least DJB's code arrogance is (currently) justified. Theo
needs to stop believing his own hype (and stop hosing OpenBSD's
codebase on a Solaris ftp server, but that's a whole another issue).

> 
> Or:  You deploy qmail.  Oops, you encounter a security problem.  You
> complain about it on the qmail mailing list.  Oh, I'm sorry, you failed
> to understand the rules of the game:  Since you expected qmail to
> actually _do_ something useful, you applied some of the huge number of
> third-party patches that exist to supply missing functionality.  You
> unfortunately thereby deprived yourself of the DJB Seal of Absolute
> Perfection<tm>.  Silly boy.  You Have Lost.
> 

Or use Postfix. Qmail, though secure, is a very big pain to
administer. *shudder*

> -- 
> Cheers,                     Errors have been made.  Others will be blamed.
> Rick Moen
> rick@linuxmafia.com


-- 
Wayne Earl <wayne@qconcepts.net>
gpg public key: http://www.qconcepts.net/key.txt
gpg key fingerprint: 3CE4 0558 635E DADB 327C 73AB 11CA 9A6B B209 E8C5



More information about the linux-elitists mailing list