Sorry Scott, the endless argument is not about Redhat feeling that Sendmail
+ RPM is more secure than qmail without RPM, its about being able to check
your entire system for security problems with rpm IF the entire system was
installed only with rpm to start with. Part of that is that the binarys are
the same as the origional binary not edited in some fashion.
Qmail is the only package that suffers from this problem and it is Dan's
fault entirely. He is poorly responsive to users needs and has been for as
long as I have been using qmail. Were it not for a lot of people making
patches for qmail I would not be runing it, I'd be stuck with sendmail with
all of its holes and problems. Personally I'd like to see qmail go open
source. That in itself would solve all of these issues.
Dan refuses all of us the same freedoms he insists on. Somehow there is
something wrong with that. But there is nothing I can do about it, except on
occasion vent here on the mailing list and hope that at some point one of
three things will happen: 1) Dan sees the light and makes qmail open source
(fat chance) 2) Dan changes qmail to read uid/gid's from a file (perhaps a
slightly better chance of happening) or 3) Someone starts an open source
project with the ideals and design of qmail without the stubbornness of Dan
(this I think has the best chance of happening).
Option 3 would be sad since I think qmail is a very good product and I
happen to think the Dan is an impressive coder with some good ideas. Its
just fustrating that he is his own worst enemy where it comes to getting
qmail more widely accepted.
David Mandala
Quoting Scott Ballantyne ([EMAIL PROTECTED]):
> > The conditions necessary to eliminate sendmail from hundreds of
> > thousands of computers have been laid out. Redhat *wants* to ship
> > qmail, but they need those conditions satisfied. Are you suggesting
> > that there is no compromise worth ridding the world of hundreds of
> > thousands of security disasters?
> >
>
> A nice compromise would be for Redhat to figure out how to do what it
> wants, since it *wants* to ship qmail.
>
> > It is entirely Dan's failure to act that has caused hundreds of
> > thousands of *new* copies of sendmail to be installed. I don't think
> > hysteria is a sufficiently extreme reaction.
> >
>
> Let's see. this endless argument seems to be hammering home that
> Redhat feels that Sendmail + RPM is more secure than qmail without
> RPM. Is there some evidence for this? All the evidence I can see
> points in the opposite direction namely, that known 'vendor certified'
> copies of sendmail, distributed with RPM are less secure than qmail as
> distributed under Dan's conditions. If you can provide evidence that
> use of RPM magically reverses the security inequality between sendmail
> and qmail, then I'm sure Dan would be willing to do something about
> the situation. Until then, please, give it a rest.
>
> sdb
>
>
