On Thu, 23 Mar 2006, Theo de Raadt wrote:
Sendmail is, as we know, the most used daemon for SMTP in the world. This
is an International Infrastructure vulnerability and should have been
treated that way. It wasn't. It was handled not only poorly, but
irresponsibly.
You would probably expect me to the be last person to say that Sendmail
is perfectly within their rights. I have had a lot of problems with
what they are doing.
But what did you pay for Sendmail? Was it a dollar, or was it more? Let
me guess. It was much less than a dollar. I bet you paid nothing.
So does anyone owe you anything, let alone a particular process which
you demand with such length?
So you are basically saying open source free software can't be trusted to
hold high standards or be reliable or secure if I don't pay for it?
Now, the same holds true with OpenSSH. I'll tell you what. If there
is ever a security problem (again :) in OpenSSH we will disclose it
exactly like we want, and in no other way, and quite frankly since
noone has ever paid a cent for it's development they have nothing they
can say about it.
Dear non-paying user -- please remember your place.
Or run something else.
OK?
Luckily within a few months you will be able to tell Sendmail how
to disclose their bugs because their next version is going to come
out with a much more commercial licence. Then you can pay for it,
and then you can complain too.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
