On Thu Sep 25, 2003 at 10:33:35PM -0700, James Sparenberg wrote: > > > > Heck, I'm all for it and agree with all your reasons. But the example > > > > is a touch out... wu-ftpd hasn't been in main since 8.2 (last version > > > > it shipped in main). > > > > > > > > Hey, while we're at it, can we throw sendmail in contribs? =) > > > > > > > > (Serious about killing wu-ftpd altogether, semi-serious about > > > > sendmail) > > > > > > To give a serious answer (like I got any authority in this :) > > > No we can't ditch sendmail. Too many people rely and like sendmail. And > > > it's not that evil. I mean there are some periods in which no exploits > > > are found in sendmail. > > > > The same could be said of wu-ftpd, tho. There was the one issue in July, > > and previous to that was Nov 2001. So from 11/01->07/03 it was pretty > > quiet. I guarantee you in that timeframe sendmail has had more security > > issues. > > > > > But what we can do is keeping a close eye or even import the sendmail in > > > OpenBSD-cvs which is audited. Same thing goes for BIND. I don't know how > > > practical this is but it sounds like something to contemplate. > > > > Is openbsd using bind9 yet? Or are they still on bind4? If they are using > > bind9, I have my doubts that it's been audited... that's a lot of code to > > audit so quickly, especially considering how long they left bind4 in there. > > One of the reasons the update took so long is that they are auditing the > code *grin* I checked 3.2 OpenBSD and it does run 9.21 I'm told that > the do do a legit "cheat" when auditing. They first "recheck" the code > that didn't change and then repair. Then audit what is left. However I > don't know enough about the process there to comment beyond this.
Hmmm.. that sounds interesting. I wonder if the bind folks know about this... I'm sure it would be nice to have whatever fixes are commited to openbsd-cvs put back into bind itself. > > On the sendmail side, I'm not sure. Is it up to date? We won't win any > > friends by regressing to an older-but-openbsd-audited version. > > They don't have sendmail in the files list. It's postfix there. Well at least they're doing that right... =) -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
