Sorry Dan, you are incorrect. It is very possible to check not only the
binarys but also ALL of the security-critical system-dependent files. That
sir is the beauty of the rpm system. If I maintain all of my
security-critical system-dependent files via the rpm system (and I do with
the exception of qmail due to your lack of cooperation with Red Hat) I can
determine within minutes if someone has touched any of my files with a
single command. Russell Nelson is well aware of the capabilities of the rpm
tool, you might want to take the time to understand exactly what rpm can do.
I like qmails security, I dislike your refusal to give people the same
freedoms that you demand. Should a new mailer come along that is equal in
security and allows me freedom I will move to it. Should a open source
project arrive on the screen I will happly donate my time to making it a
more viable system then qmail currently is.
The sad part is qmail has great potential, your refusal to work with people
is holding qmail back from much better market penetration. Certainly it is
your right, you wrote it, but given your desire to replace unsecure with
secure you are making the process difficult at best.
David Mandala
Quoting D. J. Bernstein ([EMAIL PROTECTED]):
> Russell Nelson writes:
> > binaries vary from machine to machine, and
> > cannot be compared against a known-good copy.
>
> The same is true of all sorts of configuration files, so of course the
> system can deal with it.
>
> > Restore the system to a usable state through removal of tainted binaries.
>
> If your machine has been compromised, you must reinstall. If you merely
> verify the constant files, you are missing hundreds of security-critical
> system-dependent files. Your suggestion, manual inspection, is absurd.
>
> > That means that qmail must carry its own binary editor around with it.
>
> Simple matter of programming, already done in qmail 1.03. No problem.
>
> > If modification is not possible,
>
> Red herring. Modification is possible.
>
> Do you have any other claimed benefits of run-time uid configuration?
>
> ---Dan
