"David Phillips" <david at acz.org>  wrote:
> Consider this:  qmail, one of the most widely deployed MTAs, has never
> had a security hole.  It was first released in January of 1996.

Hmm...  I searched the iss.net[1] site and came up with a few "not quite
a security bug in qmail" results.  DJB excludes DOS attacks from his
idea of a "security bug" with a fairly reasonable explaination[2].
All-in-all, qmail has performed well throughout its history wrt to
security.  Too bad DJB can't relax his distribution restrictions, but
that's getting off topic.

You know, I find myself agreeing with David (wow!) in regards to secure
programming.  It's a methodology that programmers follow.  Any language
has it's security risks, some more than others.  If the programmer uses
the correct methodology and approach to writing software, security
problems are often mitigated before they have a chance to be
distributed.  Often is the key word here.  The most concientious
programmer can still slip up occassionally; we are fallible.

That being said, as an end-user of software, you should be wary of that
which you run on your systems.  No one can escape the need to be
security conscious.  Use the best software for your problem set; keep up
to date on security bulletins and software updates; and monitor your
operating environment.

References
==========
1. http://www.iss.net/security_center/search.php?type=2&pattern=qmail&Submit=Search
2. http://cr.yp.to/qmail/guarantee.html
-- 
Chad Walstrom <chewie at wookimus.net>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list