On 3/23/06, Theo de Raadt <deraadt@cvs.openbsd.org> wrote:
Sendmail is, as we know, the most used daemon for SMTP in the world. This
is an International Infrastructure vulnerability and should have been
treated that way. It wasn't. It was handled not only poorly, but
irresponsibly.
You would probably expect me to the be last person to say that Sendmail
is perfectly within their rights. I have had a lot of problems with
what they are doing.
I think people expect you to be as you are.
But what did you pay for Sendmail? Was it a dollar, or was it more? Let
me guess. It was much less than a dollar. I bet you paid nothing.
So does anyone owe you anything, let alone a particular process which
you demand with such length?
Now, the same holds true with OpenSSH. I'll tell you what. If there
is ever a security problem (again :) in OpenSSH we will disclose it
exactly like we want, and in no other way, and quite frankly since
noone has ever paid a cent for it's development they have nothing they
can say about it.
Dear non-paying user -- please remember your place.
I seem to recall that DARPA funded a good bit of your work. I also
seem to recall that I and many others funded DARPA. Kindly submit to
the will of us all.
Or run something else.
OK?
Or simply cut off funding. The game can be played both ways.
Luckily within a few months you will be able to tell Sendmail how
to disclose their bugs because their next version is going to come
out with a much more commercial licence. Then you can pay for it,
and then you can complain too.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Purple Bag
Society of the Crown
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
