On Fri Sep 26, 2003 at 01:15:07AM +0200, Han Boetes wrote: > > Heck, I'm all for it and agree with all your reasons. But the example > > is a touch out... wu-ftpd hasn't been in main since 8.2 (last version > > it shipped in main). > > > > Hey, while we're at it, can we throw sendmail in contribs? =) > > > > (Serious about killing wu-ftpd altogether, semi-serious about > > sendmail) > > To give a serious answer (like I got any authority in this :) > No we can't ditch sendmail. Too many people rely and like sendmail. And > it's not that evil. I mean there are some periods in which no exploits > are found in sendmail.
The same could be said of wu-ftpd, tho. There was the one issue in July, and previous to that was Nov 2001. So from 11/01->07/03 it was pretty quiet. I guarantee you in that timeframe sendmail has had more security issues. > But what we can do is keeping a close eye or even import the sendmail in > OpenBSD-cvs which is audited. Same thing goes for BIND. I don't know how > practical this is but it sounds like something to contemplate. Is openbsd using bind9 yet? Or are they still on bind4? If they are using bind9, I have my doubts that it's been audited... that's a lot of code to audit so quickly, especially considering how long they left bind4 in there. On the sendmail side, I'm not sure. Is it up to date? We won't win any friends by regressing to an older-but-openbsd-audited version. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
