Mailing List Archive

is security worth it (was Re: qmail 1.00 available)
the real disservice is suggesting someone use sendmail because it's easier
to install. what i wish is that this discussion (and the multi-rcpt
discussion) would be noted in the FAQ as ``closed'' on this list. it's all
in the archives and unless dan changes his mind you'll have to fend for
yourself.

for what it's worth i hope the serious* vendors work out what needs to be
worked out with dan. the hobbyist users will just have to take their
chances.

in case you think this harsh or inflammatory consider that security is
worth something. if you're not willing to pay that price then don't and,
if you see fit, recommend that others also use insecure products.

*serious vendors are willing to do the work to get the software integrated
into their release.

>>>>> "lilo" == lilo <lilo@linpeople.org> writes:

lilo> I know it's been heard before, but I'd really been hoping
lilo> something more flexible could be done---I regret that I'll have
lilo> to stop recommending the package for new users, since they are
lilo> the people who will be offering advice in mailer selection, based
lilo> on their own experiences, in a year or two.

--
paul
pjg@acsu.Buffalo.EDU |public keys at:
| http://urth.acsu.Buffalo.EDU/~pjg/key.html
if the above contains opinions they are mine unless marked otherwise.
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
At 22:55 22/02/97 -0500, Paul Graham wrote:
>the real disservice is suggesting someone use sendmail because it's easier
>to install. what i wish is that this discussion (and the multi-rcpt
>discussion) would be noted in the FAQ as ``closed'' on this list. it's all
>in the archives and unless dan changes his mind you'll have to fend for
>yourself.
>
>for what it's worth i hope the serious* vendors work out what needs to be
>worked out with dan. the hobbyist users will just have to take their
>chances.

As I understood it, redistribution was only allowed by Dan in the form of
the original tar.gz file. But, I also thought he said that other distribution
methods would have to speaks to Dan about it. I read that to say he's open
to other distribution methods assuming they meet some criteria. Has anyone
approached Dan with their alternative distribution methods and got a response?


Regards.
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----

On 22 Feb 1997, Paul Graham wrote:

<SOAPBOX>
> the real disservice is suggesting someone use sendmail because it's easier
> to install. what i wish is that this discussion (and the multi-rcpt

In my case I need to be able to provide pre-compiled binaries,
configuration files and a set of instructions for the complete
novice to use.

I can currently do this with sendmail because I don't worry about
the version they have installed: if they have security problems then
that is their problem, though I do provide instructions on howto make
sendmail a little more secure than it is normally (ie by not running as
root). I also provide canned configuration files for various platforms.

I would really like to be able to provide the same for qmail.
the instructions would be:
1. untar this file
2. run the install program, the prompts are good values to use
3. read the manual pages to customise your installation

/I/ am worried about security, and where I have the time/resources
implement it. most people running unix workstations connected to the
campus network don't have a clue when it comes to security, don't care
when it comes to security and will blame the author of the software
for any security problem.

As professionals we're supposed to be helping these people make their
systems more secure.

Unfortunately I don't think it's going to make it to version 2 and wide
acceptance with current policies.

</SOAPBOX>

+----------------------------+
| richard@illuin.demon.co.uk | Aut viam inveniam aut faciam
+----------------------------+

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBMxBZJp6bDk8vHTn1AQH0OQP/awqJnxDQTtwnmvKQBNchY5TXecaxbS/a
egibrd3XhqBCXSNxLVFkaFvSCP0faISctqJHJ1REDyZR/IYVqt1PY0TpT0XnzwlM
jCKVqTc3p1Lhvb0jzo90tmaoqvX13ZESutJ8ZmyyKpNQvKH997g285u7NMt9+y58
FXdK8RPMMT0=
=Sazi
-----END PGP SIGNATURE-----
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----

On 22 Feb 1997, Paul Graham wrote:

> the real disservice is suggesting someone use sendmail because it's easier
> to install. what i wish is that this discussion (and the multi-rcpt
> discussion) would be noted in the FAQ as ``closed'' on this list. it's all
> in the archives and unless dan changes his mind you'll have to fend for
> yourself.

It's not a disservice to suggest to new users that they install what they
can install. We are dealing with users who are literally so new to *nix
systems that installing a package available only in source can present an
impassable roadblock. They learn fast, but their initial install is not the
time to put up roadblocks. Unfortunately, the mail package they install
first will probably be the package they keep for some time.

I'm not here to justify support strategies for new *nix users to people who
don't have experience supporting large numbers of such users. I'm simply
commenting on my dilemma as a support person in the *real* world.

> for what it's worth i hope the serious* vendors work out what needs to be
> worked out with dan. the hobbyist users will just have to take their
> chances.

If the problem were `hobbyists versus serious users' then I wouldn't bring
it up. A number of these users are installing systems intended for
production use.

> in case you think this harsh or inflammatory consider that security is
> worth something.

There's no question, your comments are definitely harsh and inflammatory, as
I'm sure you're aware. ;) Security is only of use to people who have a
system installed, those who don't mostly consider it an abstraction. That's
the Catch-22 involved.

> if you're not willing to pay that price then don't and,
> if you see fit, recommend that others also use insecure products.

Most of the industry is using sendmail. It's less secure than qmail, but
one manages as best one can in an imperfect world. It's the canonical
Internet mail transport agent. Dan could change that, if it were a
priority for him, but so far I don't see evidence it is.

> *serious vendors are willing to do the work to get the software integrated
> into their release.

Serious vendors are often interested in providing standard packages, more
than attempting to break new ground, especially when breaking new ground is
more effort. Making a special effort to use a package no one has ever heard
of does not usually give the customer what he or she wants. Vendors who
sell products have to be concerned with their customers' perceived needs, in
the real world.



lilo

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBMxCCR523L4XLlypxAQGCkAQAmYG+t+2raeiczU4kCcEZv+uEmVVHo/pg
yS0QSovnmF1WyD4NrcB4BfocfJKPVAGr0I+TnppiOt8twy2kMnwZ/L0eW5Hn2pZI
KKS1z5mf6RMZU5eB66TzTxO9PukJcUw31yTlyuVT4XKDvHHvq9nF7r6oi1vKwknb
KdvTU2JEQCI=
=j+WQ
-----END PGP SIGNATURE-----
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
have you been told that you cannot hand out binary ``packages''?

>>>>> "Richard" == Richard Letts <richard@illuin.demon.co.uk> writes:

Richard> In my case I need to be able to provide pre-compiled binaries,
Richard> configuration files and a set of instructions for the complete
Richard> novice to use.

--
paul
pjg@acsu.Buffalo.EDU |public keys at:
| http://urth.acsu.Buffalo.EDU/~pjg/key.html
if the above contains opinions they are mine unless marked otherwise.
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----

- -----BEGIN PGP MESSAGE ANALYSIS-----

- -----END PGP MESSAGE ANALYSIS-----

On 23 Feb 1997, Paul Graham wrote:

> have you been told that you cannot hand out binary ``packages''?
>
> >>>>> "Richard" == Richard Letts <richard@illuin.demon.co.uk> writes:
>
> Richard> In my case I need to be able to provide pre-compiled binaries,
> Richard> configuration files and a set of instructions for the complete
> Richard> novice to use.

Yes, he has. There is no licensing information whatsoever in the qmail
source tar, so one has to go back to `Information for distributors' on Dan's
web page:

>You may distribute copies of qmail-1.00.tar.gz, with MD5 checksum
>d3033be700fd6f59ac0548c832652dd3.
>
>Vendors: I'd be interested in hearing about any CDs that include the package, but you
>don't have to check with me if you don't want to.
>
>If you want to distribute modified versions of qmail (e.g., different packaging formats,
>porting changes, precompiled binaries) you'll have to get my approval.


lilo

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBMxCNbp23L4XLlypxAQHK9gP/WNogqhLhAyKJNFpYPZ31VyHe6QDVNi4S
ffTF861xVIY78xYW1LUgBuikq9g1iTrqATjxMcrp7hMMebwDBRo5ipRlbQIr5kVK
KY05I6hHw2p/aXgxsG2SsZp4uHTzwynTAGC+8uB/IMg02nTiWGNXttnteP20N+0d
gb2Hd4vXUfI=
=LPFe
-----END PGP SIGNATURE-----
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
people running ``production'' systems they don't understand without a
support staff are what i would call hobbyists. other people might call
them naive or foolish.

it's clear the best thing for you to do is keep pushing sendmail until wv
releases his secure clone. our fundamental differences mean we cannot have
a productive discussion about this issue.

>>>>> "lilo" == lilo <lilo@linpeople.org> writes:
lilo> It's not a disservice to suggest to new users that they install
lilo> what they can install. We are dealing with users who are
lilo> literally so new to *nix systems that installing a package
lilo> available only in source can present an impassable roadblock.
...
lilo> If the problem were `hobbyists versus serious users' then I
lilo> wouldn't bring it up. A number of these users are installing
lilo> systems intended for production use.

--
paul
pjg@acsu.Buffalo.EDU |public keys at:
| http://urth.acsu.Buffalo.EDU/~pjg/key.html
if the above contains opinions they are mine unless marked otherwise.
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----

On 23 Feb 1997, Paul Graham wrote:

> people running ``production'' systems they don't understand without a
> support staff are what i would call hobbyists. other people might call
> them naive or foolish.

I agree there is a lot of name-calling on the Internet. I call people on a
small budget, producing a useful service for money, `businesses.' If their
businesses require them to run small Internet systems which provide mail
services, I would those `production' systems. Perhaps other terminology is
used in academic circles.

> it's clear the best thing for you to do is keep pushing sendmail until wv
> releases his secure clone. our fundamental differences mean we cannot have
> a productive discussion about this issue.

Please don't think I've singled you out as a source of authoritative
information on this subject.


lilo

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBMxCVTp23L4XLlypxAQH2QwP+JFSsh56vyOfEl+u8EW725nsWSP+7dh8x
AOl17dMOE9XqW+8/d/VK9m61WKw5zR0OTPkJVmLQqbyQ4r1olDhMcsaGaQ9tMiom
1ZeN6UadIfQUhOB2XSQDLDAVcGDPi1FF6H/LvyhEQqtw3MB+8fOPoC1Wtwcxpq8x
jz4KzIrgP1Y=
=Ilcm
-----END PGP SIGNATURE-----
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
At 01:41 PM 2/23/97 -0500, Paul Graham wrote:
>people running ``production'' systems they don't understand without a
>support staff are what i would call hobbyists. other people might call
>them naive or foolish.

How about "new at the job?" Where I live (in the Eastern Upper Peninsula of
Michigan) it is a very depressed economy, and it is very hard to entice
professionals to relocate to the "boonies" for half their "city" wage.

Hence, I got the job because it paid a little better, and because I had:

OS-9 Experience... from my Tandy Color Computer 3.

I was the *only* person to boast any form of Unix-like-OS experience
whatsoever, and if y'all don't have any experience with OS-9, I can assure
you that it was not enough to take over the job of sysadmin for 3 Unix
boxes. When I started a job, I didn't know the difference between an MTA,
MUA or /var!

I am learning quickly (thank goodness quickly enough to know to chuck
Sendmail at my earliest convenience! ;-) ) but just because we don't have
a multi-million $ budget, and *I* am the entire Unix Support Staff (and I
also handle all the web page generation...), doesn't mean my company's not
a production site. Sometimes folks in the big cities where "pros" are much
easier to come by forget that not everyone has this luxury!

Just my $1.50 (inflation) and thanks for the bandwidth,
"Merch"

Roger Merchberger | Everyone complained to me to change my .sig,
Programmer, NorthernWay | but no-one could recommend something better.
zmerch@northernway.net | So you'll have to put up with this *junk*
| until I find some new wisdom to share.
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
first let me amend my use of the word hobbyist. it should have been
dilettante.

now please think this through. you need a secure mailer. probably a
replacement for sendmail. this suggests that you are connected to the
internet. this means that you can find 1) someone (running qmail one
hopes) to host your mail for you and and you can retrieve it with something
like fetchmail or 2) any number of consultants who are also on the internet
(check www.qmail.org) that can do the qmail installation for you. can't
afford it? hmmmm...

>>>>> "zmerch" == Roger Merchberger <zmerch@mail.northernway.Net> writes:
zmerch> because we don't have a multi-million $ budget, and *I* am the
zmerch> entire Unix Support Staff (and I also handle all the web page
zmerch> generation...), doesn't mean my company's not a production
zmerch> site. Sometimes folks in the big cities where "pros" are much
zmerch> easier to come by forget that not everyone has this luxury!

--
paul
pjg@acsu.Buffalo.EDU |public keys at:
| http://urth.acsu.Buffalo.EDU/~pjg/key.html
if the above contains opinions they are mine unless marked otherwise.
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
>> have you been told that you cannot hand out binary ``packages''?
>
>Yes, he has. There is no licensing information whatsoever in the qmail
>source tar, so one has to go back to `Information for distributors' on Dan's
>web page:
>
>>If you want to distribute modified versions of qmail (e.g.,
>>different packaging formats, porting changes, precompiled binaries)
>>you'll have to get my approval.

Learn to read.

-Dave
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
> the real disservice is suggesting someone use sendmail because it's easier
> to install. what i wish is that this discussion (and the multi-rcpt
> discussion) would be noted in the FAQ as ``closed'' on this list. it's all
> in the archives and unless dan changes his mind you'll have to fend for
> yourself.
>
> for what it's worth i hope the serious* vendors work out what needs to be
> worked out with dan. the hobbyist users will just have to take their
> chances.
>
> in case you think this harsh or inflammatory consider that security is
> worth something. if you're not willing to pay that price then don't and,
> if you see fit, recommend that others also use insecure products.
>
> *serious vendors are willing to do the work to get the software integrated
> into their release.

I consider Red Hat a fairly "serious" vendor.

We will ship what the bulk of our customers *expect* us to ship. Right now,
that's Sendmail. We'd like to ship alternatives, but frankly, this qmail
license doesn't help us one bit.

While I could mail Dan (which I'd have to do direct since I don't think I've
ever had a response to a post I've made here from him), then *I* have permission
to distribute qmail with Red Hat. But, Infomagic, WGS, Yggdrasil, Cheapbytes,
etc, do NOT have that permission. We don't have the time to jockey back and
forth with software authors over what can and can't be distributed.

Aside from that, the "unmodified" source stuff bothers me. Even if I get
permission from Dan to distribute binary and source RPMs with Red Hat, do
I then have to get every little patch I might need to make (many of our
packages need minor makefile patches, etc, to install in proper places,
etc) approved by Dan?

Dan, in general, this license again makes it impossible for me to distribute
qmail in any way as a part of Red Hat. It also means folks cannot upload
binary and source RPMs to my FTP site. I am deleting the old ones that
were uploaded now as well (which probably shouldn't have been there either).

Unless things change qmail is basically only useful by sysadmins who want to
upgrade from sendmail to qmail and are proficient enough to compile it
themselves and have the time to do it. This seems like a silly limitation
to me, but it isn't my work.


--Donnie

--
Donnie Barnes http://www.redhat.com/~djb djb@redhat.com "Bah."
See http://www.LinuxExpo.org for info on the biggest Linux event ever!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
_Things You'd NEVER Expect A Southerner To Say_ by Vic Henley:
** My fiancee, Paula Jo, is registered at Tiffany's.
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
donnie barnes writes:
>
> Dan, in general, this license again makes it impossible for me to distribute
> qmail in any way as a part of Red Hat. It also means folks cannot upload

i don't quite understand this. as far as i can tell from the following
(which is as good an explanation of the copying policy as i think we'll get):

"Once the user owns a copy of qmail-1.00.tar.gz, Congress lets him
modify it without checking with me."
---Dan Bernstein, in email message to djb-qmail list, dated 24 Feb 1997

it seems to me that redhat could provide an unmodified copy of 1.00, an
arbitrary set of patches, and either a makefile or a set of binaries, i
don't think it matters which. am i incorrect in this?

paul
---------------------
paul fox, pgf@foxharp.boston.ma.us (arlington, ma)
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
Paul Fox <pgf@foxharp.boston.ma.us> asks:
>donnie barnes writes:
> >
> > Dan, in general, this license again makes it impossible for me to distribute
> > qmail in any way as a part of Red Hat. It also means folks cannot upload
>
>i don't quite understand this. as far as i can tell from the following
>(which is as good an explanation of the copying policy as i think we'll get):
>
> "Once the user owns a copy of qmail-1.00.tar.gz, Congress lets him
> modify it without checking with me."
> ---Dan Bernstein, in email message to djb-qmail list, dated 24 Feb 1997
>
>it seems to me that redhat could provide an unmodified copy of 1.00, an
>arbitrary set of patches, and either a makefile or a set of binaries, i
>don't think it matters which. am i incorrect in this?
>

I think the sticky part for Donnie is the last paragraph on Dan's page,
which says something like "...if you're not distributing the software,
you have nothing to worry about." Making RPM's available sounds to me
like distributing software. It may sound that way to Donnie also, hence
his concern.

-Greg
--
Greg Andrews West Coast Online
Unix System Administrator 5800 Redwood Drive
gerg@wco.com Rohnert Park CA 94928
(yes, 'greg' backwards) 1-800-WCO-INTERNET
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
> it seems to me that redhat could provide an unmodified copy of 1.00,
> an arbitrary set of patches, and either a makefile or a set of
> binaries, i don't think it matters which. am i incorrect in this?

(For the purposes of the discussion below, I'm going to pretend you
said "a makefile" instead of "a makefile or a set of binaries."
Binaries are clearly a derivative work of the sources and are subject
to copyright restrictions, and Dan has not given general permission to
distribute qmail binaries.)

I hate to prolong a legal discussion among laymen when I'm not a
lawyer, but I believe the answer is "not necessarily." The FSF has
claimed, perhaps wrongly, that such an act would be considered
"subversion" because the intent is to distribute a modified version of
qmail. Even though every step along the way is legal (you had a
license to distribute qmail verbatim, and your patches, assuming they
are ed scripts, are purely your own material), the overall operation
may not be.

The FSF used this argument in one case when NeXT wanted to distribute
its objective C front-end to gcc as a proprietary set of object files
and then have the user do the link. RMS apparently managed to get a
lawyer to tell him that such a thing wasn't legal, even though gcc
itself was being distributed with source and the Objective C front end
wasn't (then) covered by the GPL.

The FSF used this argument again when someone distributed patches to
make RIPEM use the gnu multiprecision math library, which was covered
by the GPL and not the LGPL. Since RIPEM also used RSAREF, which
cannot be distributed under the GPL, RMS claimed that distributing
RIPEM such that it is only useful when linked against gmp was a
subversion of the gmp license, and therefore illegal. At this point,
a number of lawyers turned out to say that RMS was probably full of
it.

I know of no court precedent one way or another.
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
On 25 Feb 1997, D. J. Bernstein wrote:

> Date: 25 Feb 1997 01:14:37 -0000
> From: "D. J. Bernstein" <djb@koobera.math.uic.edu>
> To: djb-qmail@koobera.math.uic.edu
> Subject: Re: is security worth it (was Re: qmail 1.00 available)
>
> > then *I* have permission
> > to distribute qmail with Red Hat. But, Infomagic, WGS, Yggdrasil, Cheapbytes,
> > etc, do NOT have that permission.
>
> My approval of distribution of a modified version does not depend on who
> is doing the distribution. It depends only on the modifications.
>
> ---Dan
> Let your users manage their own mailing lists. http://pobox.com/~djb/qmail.html
>

Oh goody! I hope RedHat is able to quickly integrate QMAIL into their
next release (using patches by me and others that are already out there).

David Wayne Summers "Linux: The choice of a GNU generation."
david@summersoft.fay.ar.us PGP Public Key available on request.
PGP Key fingerprint = C0 E0 4F 50 DD A9 B6 2B 60 A1 31 7E D2 28 6D A8
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
> then *I* have permission
> to distribute qmail with Red Hat. But, Infomagic, WGS, Yggdrasil, Cheapbytes,
> etc, do NOT have that permission.

My approval of distribution of a modified version does not depend on who
is doing the distribution. It depends only on the modifications.

---Dan
Let your users manage their own mailing lists. http://pobox.com/~djb/qmail.html
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----

On 24 Feb 1997, Dave Sill wrote:

> >> have you been told that you cannot hand out binary ``packages''?
> >
> >Yes, he has. There is no licensing information whatsoever in the qmail
> >source tar, so one has to go back to `Information for distributors' on Dan's
> >web page:
> >
> >>If you want to distribute modified versions of qmail (e.g.,
> >>different packaging formats, porting changes, precompiled binaries)
> >>you'll have to get my approval.
>
> Learn to read.

I.e., he cannot hand out binary packages without prior approval.


lilo

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBMxKGK523L4XLlypxAQEuzQP+MYF56a8wyVIJxBDbtFaK4PgLdKXnVs+1
39OKsFaIzLDwk5EBAauw8ik708GXo0vhyHNUE3mhyyeEkNsP4c43JaoH6YSNQuWF
pfHl9tfrK0xHK3CAW5e6pSUCC0bNTY2ugGxYBqwpYsturvxKWEUL6nD3Hi+mTxWP
QIFQfithqxQ=
=yGf3
-----END PGP SIGNATURE-----
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
i will amend Dave's admonishment to

Lean to read and think.

normally i'm will to let self-evident foolishness be it's own reward but
a result of this nonsense is needless FUD about distributing qmail.

>>>>> "lilo" == lilo <lilo@linpeople.org> writes:

pjg> [has he] been told that [he] cannot hand out binary ``packages''?
lilo> Yes, he has.
dsill> Learn to read.

lilo> I.e., he cannot hand out binary packages without prior approval.

--
paul
pjg@acsu.Buffalo.EDU |public keys at:
| http://urth.acsu.Buffalo.EDU/~pjg/key.html
if the above contains opinions they are mine unless marked otherwise.
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
On Feb 25, 0:26, lilo wrote:
>
> I.e., he cannot hand out binary packages without prior approval.


Well .. how far does this go? If me and my coworkers administrate
100 Unix boxes ... Can I create a binary package for our own use?
I mean can I careate a package that will get redistributed *within*
my organization but not *outside* of it?

Vlad

--
Vladimir Gabrielescu NBCS System Programmer 1-908-445-4785
vgabriel@toolbox.rutgers.edu http://nbcs.rutgers.edu/~vgabriel/
Someone should have labeled the future 'some assembly required'
Re: Licensing concerns (was, is security worth it, qmail 1.00 available) [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----

Anyway, as I said before, my aim was not to start a range war. My aim was
to post comments to the primary reader of this list, the only person who
sets policy in the area of licensing, i.e, Dan. The licensing changed
somewhat with 1.00, I reflected my problems with the new status quo. I
preferred to do so in an archived, fairly-public forum, for the record.
I've achieved that end.

I appreciate all of the trial ballooning about policy compromises, while
recognizing that only Dan is in an actual position to do anything about
them. I am unsurprised by the various complaints, whinges and stereotypical
Internet flames (e.g., small users are dilettantes, everyone must upgrade
their computer to run the One True Package, non-hackers should not be
allowed to connect to the Internet, etc., etc.). I will only note that none
of this noise came from Dan. ;)

Thank you for your indulgence, I'm back to background mode. Probably the
most responsible replies to a message like this are to /dev/null ;)


lilo

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBMxMcBp23L4XLlypxAQHDXgP/W57vdPwwXEVCeIfeJUD096wuRU2E4NiV
Ex0zJ19Xqa9yWvD9e7uZN8mHBcGUH1IGXmaLHdzyNwfxLrqBhzb3/ePjfxukkh79
9wTzWcNQdiom2eGN0brFxSB2VcrvsAqc18mOyb9t9lMsn1X3OzhRnP6iHFmdfkUz
HJUCNzulvto=
=xd7X
-----END PGP SIGNATURE-----
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
> > then *I* have permission
> > to distribute qmail with Red Hat. But, Infomagic, WGS, Yggdrasil, Cheapbytes,
> > etc, do NOT have that permission.
>
> My approval of distribution of a modified version does not depend on who
> is doing the distribution. It depends only on the modifications.

Maybe that is your intent, but the license doesn't say that. It won't be
good enough for the companies above who will see the package and read your
license since all you say is "you" have permission to distribute them. Who
is the "you" in this case? Here it is the person who asked *only*.

Assuming you clarify the above in the license itself, would you then grant
us permission to distribute qmail binaries that have only conf*.h changes
*and* the patch to look up userid's from /etc/passwd? Are those patches
kosher? Can I then have permission to distribute RPMs of those binaries?
Do we have to ask for permission *again* for every new version that is
released? I would assume so.

The can of worms above is still far more in the way of hoops to jump through
than anything else we deal with...


--Donnie

--
Donnie Barnes http://www.redhat.com/~djb djb@redhat.com "Bah."
See http://www.LinuxExpo.org for info on the biggest Linux event ever!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
_Things You'd NEVER Expect A Southerner To Say_ by Vic Henley:
** Has anybody seen the sideburn trimmer?
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
Donnie mentioned that he wants to remove the qmail.rpm's from the
redhat tree. Is this really necessary? Maybe the person who uploaded
them have a permission from Dan.

Mate
Re: is security worth it (was Re: qmail 1.00 available) [ In reply to ]
> Assuming you clarify the above in the license itself, would you then grant
> us permission to distribute qmail binaries that have only conf*.h changes
> *and* the patch to look up userid's from /etc/passwd? Are those patches
> kosher? Can I then have permission to distribute RPMs of those binaries?

i don't know if dan has answered you privately, and i don't know if
you're referring to my getpwnam patches, but i'll assume you are.

i would not recommend those patches for any significant qmail distribution,
for precisely the reasons that dan was reluctant to use getpwnam in the
first place. the code as modified does fairly gross error checking on the
return from getpwnam, and is subject to huge delays if getpwnam has to
invoke something like yp. a better set of patches would use similar
code to establish a set of qmail uids once, store them in qmail/control/ids,
and use _that_, reliably, at runtime.

the patches as i wrote them should only be used on systems where you believe
getpwnam() is reliable. and as a redhat supplier, perhaps you do :-). but
i'd be careful.

paul
---------------------
paul fox, pgf@foxharp.boston.ma.us (arlington, ma)