On Tue, Dec 29, 1998 at 08:44:00AM -0500, Matthew Soffen wrote:
>
> Name 1 security hole found in qmail that they would have had to fix.
Do you use ulimit before running your qmail-smtpd? One place to fix
this security hole is in qmail-smtpd. Though Dan doesn't think it
should be fixed in qmail itself, it reasonably could be.
Anyway, keep in mind that just because it hasn't broken yet doesn't
mean it can't break. Thinking that way is unwise. Just because qmail
hasn't been broken *yet* doesn't mean that anyone is willing to stick
their neck out and claim that it can't be broken. A group (I among
them) have ponied up cash because there doesn't seem to be a way to do
it. Money isn't a conclusive proof that it can't happen. It's just
paper, it can't do a proof.
Also note that Dan's standing offer of $1k doesn't cover stupid holes
in the OS qmail's running on. If such an OS bug turned up, I hope
that someone would write a work-around for qmail. But since there's
always a chance that something unforseen will break, why strutt around
pretending otherwise?
-Peter
