Vincent Danen <[EMAIL PROTECTED]> wrote: > On Fri Sep 26, 2003 at 01:15:07AM +0200, Han Boetes wrote: > > > Heck, I'm all for it and agree with all your reasons. But the > > > example is a touch out... wu-ftpd hasn't been in main since 8.2 > > > (last version it shipped in main). > > > > > > Hey, while we're at it, can we throw sendmail in contribs? =) > > > > > > (Serious about killing wu-ftpd altogether, semi-serious about > > > sendmail) > > > > To give a serious answer (like I got any authority in this :) No we > > can't ditch sendmail. Too many people rely and like sendmail. And > > it's not that evil. I mean there are some periods in which no > > exploits are found in sendmail. > > The same could be said of wu-ftpd, tho. There was the one issue in > July, and previous to that was Nov 2001. So from 11/01->07/03 it was > pretty quiet. I guarantee you in that timeframe sendmail has had more > security issues.
hmmm, I don't know how many people still insist on using wu. > > But what we can do is keeping a close eye or even import the > > sendmail in OpenBSD-cvs which is audited. Same thing goes for BIND. > > I don't know how practical this is but it sounds like something to > > contemplate. > > Is openbsd using bind9 yet? Or are they still on bind4? If they are > using bind9, I have my doubts that it's been audited... that's a lot > of code to audit so quickly, especially considering how long they left > bind4 in there. BIND 9.2.2 I aught to ask around. > On the sendmail side, I'm not sure. Is it up to date? We won't win any > friends by regressing to an older-but-openbsd-audited version. Sendmail: version.m4,v 8.92.2.15 2003/03/19 21:19:52 ca Exp Not that that is really important. But they also had to fix the recent thing in sendmail. Though the default sendmail only listens on localhosts so that's not a remote. # Han -- http://www.xs4all.nl/~hanb/software http://www.xs4all.nl/~hanb/documents/quotingguide.html
pgp00000.pgp
Description: PGP signature
