procmail (in)security
Todd Underwood
todd-bogofilter at osogrande.com
Mon Mar 10 04:00:14 CET 2003
folx,
i promise this will be brief and i'll stop after this...
On Mon, 10 Mar 2003, Matthias Andree wrote:
> Todd, what is the problem with Dan's adding a line "you must use
> softlimit or similar tools to enforce memory limits"?
there's no problem. it doesn't make it a security bug not to mention it,
either.
> > this one is actually an interesting condition. race with super
> > high-volume mail delivery and super high-volume mail checking (it requires
> > a PID recycle or two), but it is theoretically possible.
>
> At higher rate with operating systems that randomize PIDs from a narrow
> PID space, say OpenBSD.
yes.
> Yay, that infamous defamation file. The flaw has been fixed 1998-12-24,
> the design was fixed one day later -- Dan's rant is outdated since then,
> and when asked why he doesn't fix the document for fairness and mention
> the bug is fixed, he says that's because Venema hasn't
> apologized. Calumny/Defamation and Coercion/"Blackmail".
we can debate the history of this kind of thing ad naseum and we will
probably disagree (having both "lived through it" so we already have
well-formed perspectives), but here's an important point:
venema has had serious *design* bugs in his software. bernstein has not.
both have had situations of sub-optimal functioning under particular
operating systems or particular circumstances. both have had sub-optimal
documentation. based on the history, i trust qmail significantly more.
you can refer to me as an "old DJB disciple" if you want (somehow i think
that you think that this is derogatory; hmmmm), but that is my
perspective.
> > in any case, all of this is still off-topic. (i thought procmail security
> > was on-topic since people were talking about how they use it and i was
> > asking about how to get around needing it, but which MTA is better is
> > definitely straying, don't you think?).
>
> It's no more off-topic than MDA issues are. The old DJB disciple game
> (Charles Cazabon has mastered this): call others trolls when you're
> running out of arguments.
i disagree. i think it's off-topic for the bogofilter list. i'll stop
talking about it now (although i'm happy to continue a private discussion
with you, matthias).
> If you want to discuss my document, please reply in private mail.
t.
--
todd underwood, sr. vp & cto
oso grande technologies, inc.
todd at osogrande.com
"The people never give up their liberties but under some delusion."
--Edmund Burke, Speech at County Meeting of Bucks, 1784.
More information about the Bogofilter
mailing list