On Wed, Dec 23, 1998 at 12:01:21AM -0000, Scott Ballantyne wrote:
> You're wrong. Leave those 40 bytes out of the checksum, and you have a
> verification tool. This allows you to distribute qmail binaries under
> the current license, using idedit. Or just always have your
> verification tool reinstall the qmail binaries. Big deal. Both of these
> ways are perfectly valid under the present qmail license, as I
> understand it.
No you don't. You have a vulnerability tool. You have something that
doesn't protect the system. How does the tool know that what's in
those 40 bytes is good if it's ignoring them? If it doesn't, and it's
for that purpose, then how can the admin know if using that tool?
Just like compiled-in uid's this doesn't provide any more security,
but this one adds a feeling of false safety. It also adds an
additional step to any installation, and no real benefit.
What were those other 999,999 ideas again :)
-Peter
