Russell Nelson writes:
> > Several turnkey system vendors have converted to qmail.
>
> This is besides the point. Redhat ships sendmail because you are
> uncooperative. This is a security disaster which is entirely YOUR fault.
Sorry, everything else aside, I just don't see that Dan Bernstein is in any
way responsible for RedHat's actions. Dan owns the code and has chosen to
exercise his rights. What RedHat ships is up to RedHat.
qmail can be distributed without cost. I don't see that this obliges Dan
Bernstein to do anything further for the users of qmail. To suggest
otherwise is almost offensive.
That aside:
If you are going to verify that the binaries haven't changed, why not just
reinstall them? Here I have images (on tape) of important systems. It is
different to what is on the Redhat CD. It includes locally developed
software, infrequently changed configuration files, etc. Essentially
everything needed to bring the systems up to a configured, operating state
in case of some disaster which makes the current storage of a system
unreliable. This could be a breakin, multiple disk failures or whatever.
For users who do not take system recovery as seriously, the procedure, as I
see it, is: (1) reinstall the qmail binaries from CD, (2) apply the patch
shell script to get the UIDs right. Keep this script on a floppy if you
don't have a tape drive. RedHat could even write one of these, and have it
get the UIDs from /etc/passwd, and put it on their CD.
Cryptographic signatures could introduce excessive complacency in users.
You really need to have trusted storage for the certificates you use to
verify signatures. If that is stored, unprotected, on the same machine,
there is a hole in the system. Most users don't bother.
Regards,
Jan Mikkelsen
[EMAIL PROTECTED]
