This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: redhat-list@redhat.com
From: Kevin MacNeil <kevin_macneil@yahoo.ca>
Subject: should redhat dump wu-ftpd, sendmail?
Date: Thu, 29 Nov 2001 02:40:12 -0330
I just came across the latest remote root exploit for wu-ftp, which I
dutifully installed on the small server I maintain. It's too bad
redhat released the patch early, as it is going to be a pita for the
other distributions. But accidents happen, and there's nothing to be
done about it now.
That aside, I am wondering why the major distributions stick with
software like wu-ftpd, which have such poor security records, when
better alternatives exist, e.g.:
postfix instead of sendmail
proftpd instead of wu-ftpd
I know these can be installed after the fact, but why aren't they part
of the default install? Isn't it asking for trouble to stick with
insecure software?
p.s. is there a decent replacement for bind that djb doesn't own?
===
To: Kevin MacNeil <redhat-list@redhat.com>
From: Brian Ashe <brian@dee-web.com>
Subject: Re: should redhat dump wu-ftpd, sendmail?
Date: Thu, 29 Nov 2001 03:48:32 -0500
Hi Kevin,
On Thursday, November 29, 2001, 1:10:12 AM, you babbled something about:
KM> That aside, I am wondering why the major distributions stick with
KM> software like wu-ftpd, which have such poor security records, when
KM> better alternatives exist, e.g.:
Licenses, commonality, familiarity, stuff like that. License being one of
the most important.
KM> postfix instead of sendmail
Sendmail is the most common mail server available. There is no lack of
documentation. It has also been doing "better" than in the past. Postfix
also just had a significant DoS against it as well and with it's increasing
popularity, it may soon see more action on that front. Though I like it, I
still tend to stick with Sendmail.
Postfix also is not GPL. It is under the IBM Public License. If you read it,
you could see that there are certain provisions for commercial distribution.
While they wouldn't stop you from distributing it, there are some interesting
clauses that lawyers may be able to use against someone. Though I would not
know how chancy that is, RH (and others) may have lawyers that recommend
against it.
KM> proftpd instead of wu-ftpd
I agree here completely. It is GPL. It is easier to configure. And WU has
just never gotten this thing right. Mandrake Linux has started shipping this
as the default. I hope RH follows that one.
KM> I know these can be installed after the fact, but why aren't they part
KM> of the default install? Isn't it asking for trouble to stick with
KM> insecure software?
It is much more trouble to face license and other legal issues. The GPL
protects from most legal action (like most other licenses do) and has no
restrictions on distribution.
If you follow OpenBSD at all, you would see that they are pulling packages
out of their system and out of their "ports" collections for license issues
left and right. It is really getting much trickier to do all this stuff now
that Linux is so in the public eye and there are companies that would
quickly rat a distro out for violations if they think it would hurt Linux's
stance in the market.
Plus when was the last time you saw M$ get hurt by including insecure
software? It also works for Linux sometimes (like wu-ftpd, sendmail, etc.).
KM> p.s. is there a decent replacement for bind that djb doesn't own?
IMHO, Bind 9 hasn't seemed too bad. It is actually a complete rewrite and
they took their time to make it. Since it is running all of the biggest name
servers on the net, I think they are finally taking it seriously. Especially
since they were paid to make sure that it should be secure.
===
To: redhat-list@redhat.com
From: Jason Costomiris <jcostom@jasons.org>
Subject: Re: should redhat dump wu-ftpd, sendmail?
Date: Thu, 29 Nov 2001 09:52:59 -0500
On Thu, Nov 29, 2001 at 03:48:32AM -0500, Brian Ashe wrote:
: KM> postfix instead of sendmail
:
: Sendmail is the most common mail server available. There is no lack of
: documentation. It has also been doing "better" than in the past. Postfix
: also just had a significant DoS against it as well and with it's increasing
: popularity, it may soon see more action on that front. Though I like it, I
: still tend to stick with Sendmail.
Yes, there was a DoS against Postfix, but Wietse had a patch to go along
with his announcement. Also, DoS != root compromise. How many times do
you need to see sendmail-induced root compromises (many even remote!)?
: Postfix also is not GPL. It is under the IBM Public License. If you read it,
: you could see that there are certain provisions for commercial distribution.
: While they wouldn't stop you from distributing it, there are some interesting
: clauses that lawyers may be able to use against someone. Though I would not
: know how chancy that is, RH (and others) may have lawyers that recommend
: against it.
The IBMPL is OSI-approved. Presumably, they have lawyers that look over
licenses before agreeing that they are acceptable OSS licenses.
: I agree here completely. It is GPL. It is easier to configure. And WU has
: just never gotten this thing right. Mandrake Linux has started shipping this
: as the default. I hope RH follows that one.
Agreed. Another player on the scene is vsftpd (vs stands for Very Secure).
It's small, fast, and very tight code. GPLv2 also.
: Plus when was the last time you saw M$ get hurt by including insecure
: software? It also works for Linux sometimes (like wu-ftpd, sendmail, etc.).
Umm... Maybe you haven't been paying that much attention to the news
recently? CodeRed? CodeRed-II? Nimda? Others? Perhaps you haven't
noticed the tons of analysts and columnists advising people to look
elsewhere?
It's a shame these efforts to guide the public elsewhere via widespread
mainstream journalism is so new. We can't yet measure the effects it will
have. My guess? Since a number of those making suggestions are analysts
for firms like Gartner, Forrester, etc., we'll be seeing results. Think
about how many IT organizations hang on every word from analysts - it's
a LOT.
===
To: Jason Costomiris <redhat-list@redhat.com>
From: Brian Ashe <brian@dee-web.com>
Subject: Re[2]: should redhat dump wu-ftpd, sendmail?
Date: Thu, 29 Nov 2001 13:10:10 -0500
Hi Jason,
On Thursday, November 29, 2001, 9:52:59 AM, you babbled something about:
JC> On Thu, Nov 29, 2001 at 03:48:32AM -0500, Brian Ashe wrote:
: KM>> postfix instead of sendmail
JC> :
JC> : Sendmail is the most common mail server available. There is no lack of
JC> : documentation. It has also been doing "better" than in the past. Postfix
JC> : also just had a significant DoS against it as well and with it's increasing
JC> : popularity, it may soon see more action on that front. Though I like it, I
JC> : still tend to stick with Sendmail.
JC> Yes, there was a DoS against Postfix, but Wietse had a patch to go along
JC> with his announcement. Also, DoS != root compromise. How many times do
JC> you need to see sendmail-induced root compromises (many even remote!)?
I am quite aware of that. But, it proves that it is not the ultimate in
programming as so many claim. I think it is excellent software, but if there
are flaws in one place, should I assume that there can be no others?
I would never recommend against using Postfix, but in the time it took
Postfix to mature, Sendmail has done better then it used to. Trust me I was
always quite frustrated with the frequent updates for root compromises. But
upgrading was always easy enough (rpm -Uvh sendmail*.rpm) and since I pay
attention, it put me at less risk.
JC> : Postfix also is not GPL. It is under the IBM Public License. If you read it,
JC> : you could see that there are certain provisions for commercial distribution.
JC> : While they wouldn't stop you from distributing it, there are some interesting
JC> : clauses that lawyers may be able to use against someone. Though I would not
JC> : know how chancy that is, RH (and others) may have lawyers that recommend
JC> : against it.
JC> The IBMPL is OSI-approved. Presumably, they have lawyers that look over
JC> licenses before agreeing that they are acceptable OSS licenses.
Yes, but if you've read it, you would see that it is much more Debian
friendly then RH, etc. friendly. The OSI rarely concerns itself with what
legal liabilities a _commercial_ distribution might face for using a
particular product in their distro.
JC> : Plus when was the last time you saw M$ get hurt by including insecure
JC> : software? It also works for Linux sometimes (like wu-ftpd, sendmail, etc.).
JC> Umm... Maybe you haven't been paying that much attention to the news
JC> recently? CodeRed? CodeRed-II? Nimda? Others? Perhaps you haven't
JC> noticed the tons of analysts and columnists advising people to look
JC> elsewhere?
Have you been sitting at a table with the CFO, CEO, etc. of a
company and tried to use those reports to sell them on Linux? They get an
"Oh.", and that's about it. When the mind set changes in the top brass, they
may have more impact, but until then those reports only can put people over
the top if they were already on the edge (usually from the OS crashing).
JC> It's a shame these efforts to guide the public elsewhere via widespread
JC> mainstream journalism is so new. We can't yet measure the effects it will
JC> have. My guess? Since a number of those making suggestions are analysts
JC> for firms like Gartner, Forrester, etc., we'll be seeing results. Think
JC> about how many IT organizations hang on every word from analysts - it's
JC> a LOT.
Yes, but the IT guys make few of the decisions (at least in most of the
companies I've had to deal with. They can make recommendations, but often
get ignored if the salespeople that come in are really good. And M$
salespeople are REALLY good at what they do.
Do you know how many times I've had to hear, "No, we don't want to use
Linux, we only want to use a real OS like Microsoft."
XP has done more for getting people to take a look then all the bugs M$ has
ever produced.
===
To: redhat-list@redhat.com
From: teg@redhat.com (Trond Eivind
=?iso-8859-1?q?Glomsr=F8d?=)
Subject: Re: should redhat dump wu-ftpd, sendmail?
Date: 29 Nov 2001 13:45:31 -0500
Kevin MacNeil <kevin_macneil@yahoo.ca> writes:
> I just came across the latest remote root exploit for wu-ftp, which I
> dutifully installed on the small server I maintain. It's too bad
> redhat released the patch early, but accidents happen and there's
> nothing to be done about it now.
>
> That aside, I am wondering why the major distributions stick with
> software like wu-ftpd, which have such poor security records, when
> better alternatives exist, e.g.:
>
> postfix instead of sendmail
> proftpd instead of wu-ftpd
proftpd isn't any better than wu-ftpd securitywise - vsftpd is, but
doesn't have all the features yet (virtual hosting missed a lot).
===
To: redhat-list@redhat.com
From: Kevin MacNeil <kevin_macneil@yahoo.ca>
Subject: Re: should redhat dump wu-ftpd, sendmail?
Date: Thu, 29 Nov 2001 15:15:18 -0330
On Thu, Nov 29, 2001 at 03:48:32AM -0500, Brian Ashe wrote:
> KM> postfix instead of sendmail
>
> Postfix also is not GPL. It is under the IBM Public License. If you
> read it, you could see that there are certain provisions for
> commercial distribution. While they wouldn't stop you from
> distributing it, there are some interesting clauses that lawyers may
> be able to use against someone. Though I would not know how chancy
> that is, RH (and others) may have lawyers that recommend against it.
Interesting. I didn't know postfix wasn't GPL. I suggested it because
everyone would be better off if the configuration system of such an
important service as mail was comprehensible by ordinary mortals, and
if it were more secure by default. But yes, it should be GPL as well.
Exim is GPL, and O'Reilly just released a comprehensive manual for it.
What about that then?
My basic point was that much trouble could be avoided by using the best
available software, rather than the status quo. Redhat has done this
in the past even even when some pain has been involved, such as when it
dumped inetd for xinetd. So why not get rid of sendmail and wu-ftpd?
===
To: redhat-list@redhat.com
From: Jason Costomiris <jcostom@jasons.org>
Subject: Re: should redhat dump wu-ftpd, sendmail?
Date: Thu, 29 Nov 2001 19:39:04 -0500
On Thu, Nov 29, 2001 at 01:10:10PM -0500, Brian Ashe wrote:
: I am quite aware of that. But, it proves that it is not the ultimate in
: programming as so many claim. I think it is excellent software, but if there
: are flaws in one place, should I assume that there can be no others?
And sendmail is free of flaws? Did Eric Allman just send you a pizza or
something? :-)
: I would never recommend against using Postfix, but in the time it took
: Postfix to mature, Sendmail has done better then it used to. Trust me I was
: always quite frustrated with the frequent updates for root compromises. But
: upgrading was always easy enough (rpm -Uvh sendmail*.rpm) and since I pay
: attention, it put me at less risk.
For me, it's:
rpm -e --nodeps sendmail sendmail-cf
rpm -ivh postfix...... (right after I build postfix from SRPM)
Easy to install, easy to upgrade...
: Yes, but if you've read it, you would see that it is much more Debian
: friendly then RH, etc. friendly. The OSI rarely concerns itself with what
: legal liabilities a _commercial_ distribution might face for using a
: particular product in their distro.
You can purchase "official" Debian CDs too. The distributions are, IMHO,
equivalent. You can download the software, you can download ISOs, you
can pay for "unofficial" copies, or you can pay for "official" copies of
each.
: Have you been sitting at a table with the CFO, CEO, etc. of a
: company and tried to use those reports to sell them on Linux? They get an
: "Oh.", and that's about it. When the mind set changes in the top brass, they
: may have more impact, but until then those reports only can put people over
: the top if they were already on the edge (usually from the OS crashing).
The company officials that I've spoken to must be very different from the
ones you've seen. The ones I've seen are concerned about why they are
experiencing downtime and how to abate the condition. The conversation
usually goes something like this:
Why is our web server down? I've been trying to use it all morning.
Our web server uses Microsoft's IIS. It's vulnerable to the security
problems you've been seeing on the news. Operations staff hasn't
been 100% up to date on security patches, so we got hit.
....fast forward ahead a couple of server-crippling worms later...
Why are we down again?
We're still using Microsoft IIS.
That software seems to have a lot of problems. Is there anything you can
do?
I recommend we stop using software that's as bug-ridden as IIS.
Ok, get a plan together and do it.
Maybe you're just not convincing enough... ;-)
: Yes, but the IT guys make few of the decisions (at least in most of the
: companies I've had to deal with. They can make recommendations, but often
: get ignored if the salespeople that come in are really good. And M$
: salespeople are REALLY good at what they do.
You're absolutely right - it's not the IT guy, it's his boss' boss that
does. *THAT* is the guy who lives and dies by those analyst reports.
===
To: redhat-list@redhat.com
From: Joe Brenner <doom@kzsu.stanford.edu>
Subject: Re: should redhat dump wu-ftpd, sendmail?
Date: Thu, 29 Nov 2001 17:30:13 -0800
Jason Costomiris <jcostom@jasons.org> wrote:
> On Thu, Nov 29, 2001 at 01:10:10PM -0500, Brian Ashe wrote:
> : Yes, but if you've read it [the postfix license], you
> : would see that it is much more Debian friendly then RH,
> : etc. friendly. The OSI rarely concerns itself with what
> : legal liabilities a _commercial_ distribution might face
> : for using a particular product in their distro.
> You can purchase "official" Debian CDs too. The distributions are, IMHO,
> equivalent. You can download the software, you can download ISOs, you
> can pay for "unofficial" copies, or you can pay for "official" copies of
> each.
Also, postfix is the standard mailer for the Mandrake
distro.
The opinion that the OSI is unconcered with the needs of
commercial users of open source software sounds very
peculiar.
The OSI still has the "IBM Public License Version 1.0"
up on it's list of open source licences:
http://www.opensource.org/licenses/ibmpl.html
And looking at the text, it sounds a lot like an open source
license to me:
2. GRANT OF RIGHTS
a. Subject to the terms of this Agreement, each
Contributor hereby grants Recipient a non-exclusive,
worldwide, royalty-free copyright license to reproduce,
prepare derivative works of, publicly display, publicly
perform, distribute and sublicense the Contribution of
such Contributor, if any, and such derivative works, in
source code and object code form.
The bulk of the text seems to be an exercise in paranoia
about protecting the guys writing code from any legal
attacks. The only place where commercial distros are
mentioned, they're essentially just saying that the code
authors aren't responsible for any advertising claims the
distro makes.
(And I see that gnu.org concurs that it's a free software
license, albeit with some incompatibilities with the GPL).
===