科技回声

9 条评论

hdmoore将近 2 年前

Erm, qmail had lots of bugs[1], when compiled for 64-bit processors (lots of integer overflows), but djb pushed back and said 64-bit wasn't supported. If anything, qmail is known as the most annoying MTA to package, since no modifications to the source are permitted, and the application has to be built using a massive patch tree instead. The quirky management daemons required to run qmail were also obnoxious and at odds with everything else on the system.Salient quote below:>In May 2005, Georgi Guninski published "64 bit qmail fun", three vulnerabilities in qmail (CVE-2005-1513, CVE-2005-1514, CVE-2005-1515):[snip]>Surprisingly, we re-discovered these vulnerabilities during a recent qmail audit; they have never been fixed because, as stated by qmail's author Daniel J. Bernstein (in <a href="https://cr.yp.to/qmail/guarantee.html" rel="nofollow noreferrer">https://cr.yp.to/qmail/guarantee.html</a>):>>"This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail's assumption that allocated array lengths fit comfortably into 32 bits."1. <a href="https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt" rel="nofollow noreferrer">https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-...</a>edit: added quote from referenced url

评论 #37229678 未加载

评论 #37229828 未加载

评论 #37229622 未加载

评论 #37229899 未加载

kens将近 2 年前

The title of the actual paper is "Some thoughts on security after ten years of qmail 1.0". The post currently has the made-up title "How to Write Software with Zero bugs – 25 years after qmail 1.0 – D. Bernstein [pdf]".

评论 #37229808 未加载

评论 #37231198 未加载

评论 #37269401 未加载

jongjong将近 2 年前

I agree with the argument about reducing lines of code. Whenever I write code, I spend quite a bit of time thinking about different ways of implementing it before I start coding and the most important characteristic I look for in a solution is succinctness.Correct code is easy to read because it's close to its theoretical minimum size. It reminds me of the quote "Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away."

gerdesj将近 2 年前

I ran several Qmail systems. Daemontools worked rather well. They had a habit of delivering email reliably. "Life with Qmail" was a very decent primer.I also ran several other mail systems at the same time (and still do). Exchange's smtpd is still a bit of a pain and I never put it on the internet directly.Nowadays (last 15 years) I use Exim for a MTA/proxy - at home and at work.

评论 #37230206 未加载

评论 #37229963 未加载

lockhouse将近 2 年前

Why is this flagged? This is one of the few posts that are actually on topic for HN.

latenightcoding将近 2 年前

Classic paper but what the hell is this title .

daneel_w将近 2 年前

Does anyone know how qmail has fared since this PDF was written in 2007? Did it make it to 2023 without any bugs surfacing?

评论 #37229464 未加载

评论 #37229478 未加载

technick将近 2 年前

I have PTSD from listening to my friends complain about qmail back in the early 2000's.

johnea将近 2 年前

Good to see the DJBway here.So much could be learned in modern *nix distributions from this philosophy...