Peter Serwe wrote:
I don't see any patches to fix security problems, but I am not prepared to believe there are no security problems. There are patches to fix standards non-compliance (eg RFC 1870 and RFC 2821) and nobody can distribute source with them preapplied. Instead, they must distribute patch alone or source-plus-patch.
Well, ya know it's kinda funny. The author has had a cash prize for anybody to find a security hole in qmail for the better part of a decade, and as much as a lot of people have gotten really intimate with the qmail source code (as evidenced by the sheer number of patches), nobody has EVER been able to find one and claim the prize. I think that's as close to being able to believe there aren't any issues as any software I've ever seen.
I saw that. Who's the judge of what constitutes a security bug? You and I are very likely to disagree in some cases, even where we agree on a definition.
I do value standards compliance, and I think that something like: yum install postfix spamassassin dovecote beats downloading the source, patching, installing binaries (in /var? really!) and taking it on myself to verify it all fits together.
_I_ don't want development tools on my mail gateway, and if I really wanted to build from source I'd probably be using gentoo. or building RHEL myself.
Actually, I do, sort of, on one box:-) Both.
Certainly Bill Gates would be substantially poorer had he ever made that claim, and backed it with cash over the same time period.
</rant> :D
I also saw his comments re the author of postfix. OTOH, at www.postfix.org I could find nothing bad about qmail or its author. If Dan didn't propagate the alleged slanders, hardly anyone would know about them.
I also saw his comments re the future of qmail: http://cr.yp.to/qmail/future.html