Subject: Re: Postfix
To: Thor Lancelot Simon <>
From: Pete Naylor <>
List: current-users
Date: 08/17/2000 13:11:21
Thor Lancelot Simon wrote...

> On Tue, Aug 15, 2000 at 12:34:44PM -0700, Pete Naylor wrote:
> > 
> > Thor Lancelot Simon wrote...
> > 
> > > > (as you can
> > > > tell, I'm not of the opinion that more daemons equates to more security).
> > > 
> > > Improved modularity of code generally leads to more security when it
> > > assists in isolating and minimizing security-critical sections. 
> > 
> > That's a nice theory.
> One which is adhered to by most of the most eminent experts in the field.

Oh, how interesting.

> If you want to convince me otherwise, you won't do so by snipping my
> discussion of the difficulty of analyzing security-critical sections so
> that you can detetmine whether or not a program as a whole is secure.  No
> isolation of such sections means that the program essentially can't be
> analyzed, and you lose.

I honestly have no idea what you're waffling about.  I never doubted the
theory, just your interpretation of it and the silly way in which you
twisted it to justify swapping out a tried and tested tool in the
distribution with a unfamiliar beta software.

Modular code which is easy to review for security problems does not
necessarily have to compile into a large number of binaries in order to
remain "secure".  While postfix might be secure, I'm not convinced that
the real security concerns it addresses were dealt with by compiling into
a dozen separate daemons - they should certainly have been dealt with by
keeping the security critical sections of code in separate source files
where they are easy to review.

> I'm also not inclined to listen to you because:

Because I disagree.  Please don't try to claim otherwise.

> A) You're obviously raving.  If you were a little less hopping-up-and-down
>    mad about this issue, your point might get across better.  I am not
>    inclined to waste more time discussing this with you if you are interested
>    solely in characterizing decisions which were actually made after quite a
>    bit of discussion among the developers as "the selfish desires of a few
>    Postfix fans".

I've tried asking the question simply and quietly and got ignored.  Next I
tried voicing my concerns a little more directly, and the response I got
back was essentially "we like postfix, and we think everybody else should
too".  Nobody has given any sound justification for this change.  If I
seem a little mad about this, it's because I am.  I've been using NetBSD
for a long time, and I really like it because I regard it as a steady and
reliable option which I can always come back to for an OS which is not
bloated or cruftified by software which tries to win the feature wars by
including trendy software of the day.  I really don't appreciate that a
few people have apparently chosen to change that for me and all the other
NetBSD users - unwilling to discuss the issue or provide and real

> B) You *entirely* miss the point of the licensing issue -- we do our very
>    best to ensure that binary-only NetBSD systems can be built, run, and
>    be useful with no, or a minimum, of code that requires source disclosure.
>    By and large, we succeed at this goal -- most GPL'ed code is confined to
>    the toolchain, and those shipping embedded systems don't usually need to
>    put a compiler on every customer's box, for example.

No, I don't miss the point of the licensing issue.  As far as I'm
concerned, continuing to include sendmail does not represent any real
affront to the policies of the NetBSD project.  Further, the postfix
license is not any closer to ideal in that regard.  This just is _not_ a
valid reason for breaking a tool that many people have come to rely on as
a standard part of the distribution.

> C) You're presuming to lecture me about security

Uh - as I recall, you started the lecturing with more than a little bit of
arrogance - something that's continued here quite evidently.

>    when you evidently don't
>    even know that OpenSSH *is* one of the direct descendants of the Ylonen
>    SSH code, and that it's overall structure remains almost exactly the same.

Yes, I did know that, actually.  Since it's the only open source
alternative I'm aware of, and it is presumably becoming more distant from
its roots over time, that seemed like a reasonable alternative to suggest.
The point (which you seem to have missed) is that there are alternatives
available, and people can pick and choose as they wish.  Same is true of
MTAs, though it seems that some people presume to know what's best for all
NetBSD users in that respect.  Long ago, when sendmail became the defacto
standard MTA, there were fewer alternatives, but it's still a pity that it
gained that status because in later years people failed to update it and
that caused major headaches.  I'd sooner leave that one problem as it is
(instead of pushing another defacto standard aka "mistake") and let people
continue to work with the tools they are familiar with unless they choose
to use an alternative which they prefer.

Pete Naylor