Robert Huff wrote:
> Chuck Swiger writes:
[ ... ]
> Would you care to nominate an inherently network-accessible
> program with such a track record? For example: 5.2.1 was released
> in late February; there are currently 12 security advisories*, of
> which I would consider at least 5 to be part of the core system.
> (As opposed to things in the base system, like BIND.)
"In March 1997, I offered $500 to the first person to publish a verifiable
security hole in the latest version of qmail: for example, a way for a user to
exploit qmail to take over another account.
My offer still stands. Nobody has found any security holes in qmail."
Note that the author has chosen to view this guarantee as applicable to
remotely exploitable holes resulting in being able to run programs as some
user, rather than denial-of-service exploits (say, filling up the drive due to
a mailbomb), and that there have been security issues with commonly used
patches to qmail. Then again, anything which uses SSL (ie, qmail+TLS) has
been vulnerable to the horde of OpenSSL issues...
People who think that installing qmail today are likely to not be hacked due
to a security hole in qmail over the next two years do indeed have some reason
for their belief.