http://cr.yp.to/maildisasters/postfix.html simply reports the facts.
Some of the facts are continuing events: the Postfix author never
* posted an alert about this security problem, or
* apologized for exposing his users to selective mail destruction, or
* apologized for his false and misleading statements, or
* took responsibility for his mistakes, or
* offered cash rewards for security holes.
All of these remain true. If they ever change, I'm sure the Postfix
author will let me know, and I'll update the page accordingly.
Postfix proponents who claim that my page is ``out of date'' are really
trying to say that users should ignore the historical facts. This is a
common argument from people who don't really care about security. If
you've been fooled into using Sendmail, for example, and you're now
asking crucial questions such as
How exactly did OpenBSD ``audit'' Sendmail? How did this latest
security hole slip past the ``audit''? What structures and procedures
could have been put into place to prevent this disaster? For example,
shouldn't large setuid programs be banned?
you'll get non-answers like ``I can't believe you're attacking OpenBSD''
or ``Don't worry about it! The bug is fixed now. OpenBSD is secure!''
---Dan
|