Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALx_OUDHZ3d9few45oqj9WTw4vEj47LF-AiJBX3GnCVHYjyAyw@mail.gmail.com>
Date: Fri, 22 May 2020 05:54:43 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Short notes on qmail security guarantee

>> djb's main argument is that nobody gives a lot of memory
>> to qmail-smtpd (and as djb might missed to all other
>> qmail- components).
>
> The Qualys advisory quotes DJB saying "I run each qmail service under
> softlimit -m12345678", so apparently he did not miss that for his own
> use.  The issue is what recommendation was (not) provided publicly.

I think that's an extremely charitable way of looking at it; it's
perfectly OK to develop software where the security properties of the
code hinge on some non-standard constraints, but then it's
affirmatively on the developer to confirm at runtime that these
constraints are in place. I.e., setrlimit() or test and abort...

Otherwise, you really don't get to blame others, whether there is a
cautionary footnote on page 15 of the README or not.

/mz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.