This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: redhat-list@redhat.com From: Kevin MacNeil <kevin_macneil@yahoo.ca> Subject: should redhat dump wu-ftpd, sendmail? Date: Thu, 29 Nov 2001 02:40:12 -0330 I just came across the latest remote root exploit for wu-ftp, which I dutifully installed on the small server I maintain. It's too bad redhat released the patch early, as it is going to be a pita for the other distributions. But accidents happen, and there's nothing to be done about it now. That aside, I am wondering why the major distributions stick with software like wu-ftpd, which have such poor security records, when better alternatives exist, e.g.: postfix instead of sendmail proftpd instead of wu-ftpd I know these can be installed after the fact, but why aren't they part of the default install? Isn't it asking for trouble to stick with insecure software? p.s. is there a decent replacement for bind that djb doesn't own? === To: Kevin MacNeil <redhat-list@redhat.com> From: Brian Ashe <brian@dee-web.com> Subject: Re: should redhat dump wu-ftpd, sendmail? Date: Thu, 29 Nov 2001 03:48:32 -0500 Hi Kevin, On Thursday, November 29, 2001, 1:10:12 AM, you babbled something about: KM> That aside, I am wondering why the major distributions stick with KM> software like wu-ftpd, which have such poor security records, when KM> better alternatives exist, e.g.: Licenses, commonality, familiarity, stuff like that. License being one of the most important. KM> postfix instead of sendmail Sendmail is the most common mail server available. There is no lack of documentation. It has also been doing "better" than in the past. Postfix also just had a significant DoS against it as well and with it's increasing popularity, it may soon see more action on that front. Though I like it, I still tend to stick with Sendmail. Postfix also is not GPL. It is under the IBM Public License. If you read it, you could see that there are certain provisions for commercial distribution. While they wouldn't stop you from distributing it, there are some interesting clauses that lawyers may be able to use against someone. Though I would not know how chancy that is, RH (and others) may have lawyers that recommend against it. KM> proftpd instead of wu-ftpd I agree here completely. It is GPL. It is easier to configure. And WU has just never gotten this thing right. Mandrake Linux has started shipping this as the default. I hope RH follows that one. KM> I know these can be installed after the fact, but why aren't they part KM> of the default install? Isn't it asking for trouble to stick with KM> insecure software? It is much more trouble to face license and other legal issues. The GPL protects from most legal action (like most other licenses do) and has no restrictions on distribution. If you follow OpenBSD at all, you would see that they are pulling packages out of their system and out of their "ports" collections for license issues left and right. It is really getting much trickier to do all this stuff now that Linux is so in the public eye and there are companies that would quickly rat a distro out for violations if they think it would hurt Linux's stance in the market. Plus when was the last time you saw M$ get hurt by including insecure software? It also works for Linux sometimes (like wu-ftpd, sendmail, etc.). KM> p.s. is there a decent replacement for bind that djb doesn't own? IMHO, Bind 9 hasn't seemed too bad. It is actually a complete rewrite and they took their time to make it. Since it is running all of the biggest name servers on the net, I think they are finally taking it seriously. Especially since they were paid to make sure that it should be secure. === To: redhat-list@redhat.com From: Jason Costomiris <jcostom@jasons.org> Subject: Re: should redhat dump wu-ftpd, sendmail? Date: Thu, 29 Nov 2001 09:52:59 -0500 On Thu, Nov 29, 2001 at 03:48:32AM -0500, Brian Ashe wrote: : KM> postfix instead of sendmail : : Sendmail is the most common mail server available. There is no lack of : documentation. It has also been doing "better" than in the past. Postfix : also just had a significant DoS against it as well and with it's increasing : popularity, it may soon see more action on that front. Though I like it, I : still tend to stick with Sendmail. Yes, there was a DoS against Postfix, but Wietse had a patch to go along with his announcement. Also, DoS != root compromise. How many times do you need to see sendmail-induced root compromises (many even remote!)? : Postfix also is not GPL. It is under the IBM Public License. If you read it, : you could see that there are certain provisions for commercial distribution. : While they wouldn't stop you from distributing it, there are some interesting : clauses that lawyers may be able to use against someone. Though I would not : know how chancy that is, RH (and others) may have lawyers that recommend : against it. The IBMPL is OSI-approved. Presumably, they have lawyers that look over licenses before agreeing that they are acceptable OSS licenses. : I agree here completely. It is GPL. It is easier to configure. And WU has : just never gotten this thing right. Mandrake Linux has started shipping this : as the default. I hope RH follows that one. Agreed. Another player on the scene is vsftpd (vs stands for Very Secure). It's small, fast, and very tight code. GPLv2 also. : Plus when was the last time you saw M$ get hurt by including insecure : software? It also works for Linux sometimes (like wu-ftpd, sendmail, etc.). Umm... Maybe you haven't been paying that much attention to the news recently? CodeRed? CodeRed-II? Nimda? Others? Perhaps you haven't noticed the tons of analysts and columnists advising people to look elsewhere? It's a shame these efforts to guide the public elsewhere via widespread mainstream journalism is so new. We can't yet measure the effects it will have. My guess? Since a number of those making suggestions are analysts for firms like Gartner, Forrester, etc., we'll be seeing results. Think about how many IT organizations hang on every word from analysts - it's a LOT. === To: Jason Costomiris <redhat-list@redhat.com> From: Brian Ashe <brian@dee-web.com> Subject: Re[2]: should redhat dump wu-ftpd, sendmail? Date: Thu, 29 Nov 2001 13:10:10 -0500 Hi Jason, On Thursday, November 29, 2001, 9:52:59 AM, you babbled something about: JC> On Thu, Nov 29, 2001 at 03:48:32AM -0500, Brian Ashe wrote: : KM>> postfix instead of sendmail JC> : JC> : Sendmail is the most common mail server available. There is no lack of JC> : documentation. It has also been doing "better" than in the past. Postfix JC> : also just had a significant DoS against it as well and with it's increasing JC> : popularity, it may soon see more action on that front. Though I like it, I JC> : still tend to stick with Sendmail. JC> Yes, there was a DoS against Postfix, but Wietse had a patch to go along JC> with his announcement. Also, DoS != root compromise. How many times do JC> you need to see sendmail-induced root compromises (many even remote!)? I am quite aware of that. But, it proves that it is not the ultimate in programming as so many claim. I think it is excellent software, but if there are flaws in one place, should I assume that there can be no others? I would never recommend against using Postfix, but in the time it took Postfix to mature, Sendmail has done better then it used to. Trust me I was always quite frustrated with the frequent updates for root compromises. But upgrading was always easy enough (rpm -Uvh sendmail*.rpm) and since I pay attention, it put me at less risk. JC> : Postfix also is not GPL. It is under the IBM Public License. If you read it, JC> : you could see that there are certain provisions for commercial distribution. JC> : While they wouldn't stop you from distributing it, there are some interesting JC> : clauses that lawyers may be able to use against someone. Though I would not JC> : know how chancy that is, RH (and others) may have lawyers that recommend JC> : against it. JC> The IBMPL is OSI-approved. Presumably, they have lawyers that look over JC> licenses before agreeing that they are acceptable OSS licenses. Yes, but if you've read it, you would see that it is much more Debian friendly then RH, etc. friendly. The OSI rarely concerns itself with what legal liabilities a _commercial_ distribution might face for using a particular product in their distro. JC> : Plus when was the last time you saw M$ get hurt by including insecure JC> : software? It also works for Linux sometimes (like wu-ftpd, sendmail, etc.). JC> Umm... Maybe you haven't been paying that much attention to the news JC> recently? CodeRed? CodeRed-II? Nimda? Others? Perhaps you haven't JC> noticed the tons of analysts and columnists advising people to look JC> elsewhere? Have you been sitting at a table with the CFO, CEO, etc. of a company and tried to use those reports to sell them on Linux? They get an "Oh.", and that's about it. When the mind set changes in the top brass, they may have more impact, but until then those reports only can put people over the top if they were already on the edge (usually from the OS crashing). JC> It's a shame these efforts to guide the public elsewhere via widespread JC> mainstream journalism is so new. We can't yet measure the effects it will JC> have. My guess? Since a number of those making suggestions are analysts JC> for firms like Gartner, Forrester, etc., we'll be seeing results. Think JC> about how many IT organizations hang on every word from analysts - it's JC> a LOT. Yes, but the IT guys make few of the decisions (at least in most of the companies I've had to deal with. They can make recommendations, but often get ignored if the salespeople that come in are really good. And M$ salespeople are REALLY good at what they do. Do you know how many times I've had to hear, "No, we don't want to use Linux, we only want to use a real OS like Microsoft." XP has done more for getting people to take a look then all the bugs M$ has ever produced. === To: redhat-list@redhat.com From: teg@redhat.com (Trond Eivind =?iso-8859-1?q?Glomsr=F8d?=) Subject: Re: should redhat dump wu-ftpd, sendmail? Date: 29 Nov 2001 13:45:31 -0500 Kevin MacNeil <kevin_macneil@yahoo.ca> writes: > I just came across the latest remote root exploit for wu-ftp, which I > dutifully installed on the small server I maintain. It's too bad > redhat released the patch early, but accidents happen and there's > nothing to be done about it now. > > That aside, I am wondering why the major distributions stick with > software like wu-ftpd, which have such poor security records, when > better alternatives exist, e.g.: > > postfix instead of sendmail > proftpd instead of wu-ftpd proftpd isn't any better than wu-ftpd securitywise - vsftpd is, but doesn't have all the features yet (virtual hosting missed a lot). === To: redhat-list@redhat.com From: Kevin MacNeil <kevin_macneil@yahoo.ca> Subject: Re: should redhat dump wu-ftpd, sendmail? Date: Thu, 29 Nov 2001 15:15:18 -0330 On Thu, Nov 29, 2001 at 03:48:32AM -0500, Brian Ashe wrote: > KM> postfix instead of sendmail > > Postfix also is not GPL. It is under the IBM Public License. If you > read it, you could see that there are certain provisions for > commercial distribution. While they wouldn't stop you from > distributing it, there are some interesting clauses that lawyers may > be able to use against someone. Though I would not know how chancy > that is, RH (and others) may have lawyers that recommend against it. Interesting. I didn't know postfix wasn't GPL. I suggested it because everyone would be better off if the configuration system of such an important service as mail was comprehensible by ordinary mortals, and if it were more secure by default. But yes, it should be GPL as well. Exim is GPL, and O'Reilly just released a comprehensive manual for it. What about that then? My basic point was that much trouble could be avoided by using the best available software, rather than the status quo. Redhat has done this in the past even even when some pain has been involved, such as when it dumped inetd for xinetd. So why not get rid of sendmail and wu-ftpd? === To: redhat-list@redhat.com From: Jason Costomiris <jcostom@jasons.org> Subject: Re: should redhat dump wu-ftpd, sendmail? Date: Thu, 29 Nov 2001 19:39:04 -0500 On Thu, Nov 29, 2001 at 01:10:10PM -0500, Brian Ashe wrote: : I am quite aware of that. But, it proves that it is not the ultimate in : programming as so many claim. I think it is excellent software, but if there : are flaws in one place, should I assume that there can be no others? And sendmail is free of flaws? Did Eric Allman just send you a pizza or something? :-) : I would never recommend against using Postfix, but in the time it took : Postfix to mature, Sendmail has done better then it used to. Trust me I was : always quite frustrated with the frequent updates for root compromises. But : upgrading was always easy enough (rpm -Uvh sendmail*.rpm) and since I pay : attention, it put me at less risk. For me, it's: rpm -e --nodeps sendmail sendmail-cf rpm -ivh postfix...... (right after I build postfix from SRPM) Easy to install, easy to upgrade... : Yes, but if you've read it, you would see that it is much more Debian : friendly then RH, etc. friendly. The OSI rarely concerns itself with what : legal liabilities a _commercial_ distribution might face for using a : particular product in their distro. You can purchase "official" Debian CDs too. The distributions are, IMHO, equivalent. You can download the software, you can download ISOs, you can pay for "unofficial" copies, or you can pay for "official" copies of each. : Have you been sitting at a table with the CFO, CEO, etc. of a : company and tried to use those reports to sell them on Linux? They get an : "Oh.", and that's about it. When the mind set changes in the top brass, they : may have more impact, but until then those reports only can put people over : the top if they were already on the edge (usually from the OS crashing). The company officials that I've spoken to must be very different from the ones you've seen. The ones I've seen are concerned about why they are experiencing downtime and how to abate the condition. The conversation usually goes something like this: Why is our web server down? I've been trying to use it all morning. Our web server uses Microsoft's IIS. It's vulnerable to the security problems you've been seeing on the news. Operations staff hasn't been 100% up to date on security patches, so we got hit. ....fast forward ahead a couple of server-crippling worms later... Why are we down again? We're still using Microsoft IIS. That software seems to have a lot of problems. Is there anything you can do? I recommend we stop using software that's as bug-ridden as IIS. Ok, get a plan together and do it. Maybe you're just not convincing enough... ;-) : Yes, but the IT guys make few of the decisions (at least in most of the : companies I've had to deal with. They can make recommendations, but often : get ignored if the salespeople that come in are really good. And M$ : salespeople are REALLY good at what they do. You're absolutely right - it's not the IT guy, it's his boss' boss that does. *THAT* is the guy who lives and dies by those analyst reports. === To: redhat-list@redhat.com From: Joe Brenner <doom@kzsu.stanford.edu> Subject: Re: should redhat dump wu-ftpd, sendmail? Date: Thu, 29 Nov 2001 17:30:13 -0800 Jason Costomiris <jcostom@jasons.org> wrote: > On Thu, Nov 29, 2001 at 01:10:10PM -0500, Brian Ashe wrote: > : Yes, but if you've read it [the postfix license], you > : would see that it is much more Debian friendly then RH, > : etc. friendly. The OSI rarely concerns itself with what > : legal liabilities a _commercial_ distribution might face > : for using a particular product in their distro. > You can purchase "official" Debian CDs too. The distributions are, IMHO, > equivalent. You can download the software, you can download ISOs, you > can pay for "unofficial" copies, or you can pay for "official" copies of > each. Also, postfix is the standard mailer for the Mandrake distro. The opinion that the OSI is unconcered with the needs of commercial users of open source software sounds very peculiar. The OSI still has the "IBM Public License Version 1.0" up on it's list of open source licences: http://www.opensource.org/licenses/ibmpl.html And looking at the text, it sounds a lot like an open source license to me: 2. GRANT OF RIGHTS a. Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, distribute and sublicense the Contribution of such Contributor, if any, and such derivative works, in source code and object code form. The bulk of the text seems to be an exercise in paranoia about protecting the guys writing code from any legal attacks. The only place where commercial distros are mentioned, they're essentially just saying that the code authors aren't responsible for any advertising claims the distro makes. (And I see that gnu.org concurs that it's a free software license, albeit with some incompatibilities with the GPL). ===