Peter Serwe wrote: >> I don't see any patches to fix security problems, but I am not >> prepared to believe there are no security problems. There are patches >> to fix standards non-compliance (eg RFC 1870 and RFC 2821) and nobody >> can distribute source with them preapplied. Instead, they must >> distribute patch alone or source-plus-patch. > Well, ya know it's kinda funny. The author has had a cash prize for > anybody to find a security > hole in qmail for the better part of a decade, and as much as a lot of > people have gotten really > intimate with the qmail source code (as evidenced by the sheer number of > patches), nobody > has EVER been able to find one and claim the prize. I think that's as > close to being able to > believe there aren't any issues as any software I've ever seen. I saw that. Who's the judge of what constitutes a security bug? You and I are very likely to disagree in some cases, even where we agree on a definition. I do value standards compliance, and I think that something like: yum install postfix spamassassin dovecote beats downloading the source, patching, installing binaries (in /var? really!) and taking it on myself to verify it all fits together. _I_ don't want development tools on my mail gateway, and if I really wanted to build from source I'd probably be using gentoo. or building RHEL myself. Actually, I do, sort of, on one box:-) Both. > Certainly Bill Gates would > be substantially poorer had he ever made that claim, and backed it with > cash over the same > time period. > > </rant> :D I also saw his comments re the author of postfix. OTOH, at www.postfix.org I could find nothing bad about qmail or its author. If Dan didn't propagate the alleged slanders, hardly anyone would know about them. I also saw his comments re the future of qmail: http://cr.yp.to/qmail/future.html -- Cheers John -- spambait 1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu Please do not reply off-list