Slashdot Mirror

...which I don't really think now occur in sendmail at a higher rate than some other infrastructure bloatware. People are sometimes very slow to upgrade from very old versions, when problems were more common. For whatever reason (I lean toward complexity of administration), I see this a lot more often with mail systems than other infrastructure plumbing.

But here's a bit of irony: the ACMQueue article would seem to indicate that Allman believes in transparency. OK, the sendmail security page lives at:
http://www.sendmail.com/security/

But you have to know that, find it via Google, or just guess. When the page loads, you'll find a pagetop navigation bug at the Resources secion. But pull open the Resources section, and you find no link to it. Nor will you see it from the site map.

My overall take is that if you already know the ins and outs of sendmail admin (and other bits that it may be talking to, such as LDAP) you're running software which carries no greater than mainstream risk.

That said--this is complex software, and complexity is the enemy of security. If you're planning a new installation (particularly a small installation), and don't need all of sendmail's features, you should consider possible alternatives offerred by your Unix/Linux vendor.

As everyone who follows the Slackware changelog, new packages were available yesterday. It seems there is still no exploit for this flaw, and it's somehow hard to exploit. That's the impression I got from the changelog entry. I'll paste it here:

n/sendmail-8.13.6-i486-1.tgz: Upgraded to sendmail-8.13.6.
              This new version of sendmail contains a fix for a security problem
              discovered by Mark Dowd of ISS X-Force. From sendmail's advisory:
              Sendmail was notified by security researchers at ISS that, under some
              specific timing conditions, this vulnerability may permit a specifically
              crafted attack to take over the sendmail MTA process, allowing remote
              attackers to execute commands and run arbitrary programs on the system
              running the MTA, affecting email delivery, or tampering with other
              programs and data on this system. Sendmail is not aware of any public
              exploit code for this vulnerability. This connection-oriented
              vulnerability does not occur in the normal course of sending and
              receiving email. It is only triggered when specific conditions are
              created through SMTP connection layer commands.
              Sendmail's complete advisory may be found here:
              http://www.sendmail.com/company/advisory/index.sht ml
              The CVE entry for this issue may be found here:
              http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2006-0058
              (* Security fix *)

Take a look at Sendmail.org and Sendmail.com - one corporate and one OSS.

sendmail
bind
BSD (FreeBSD)

come back when you have a point to make.

I couldn't agree with this more. We did a startup in 2001 and kept a web presence up and running the whole time. The primary things we agreed would always be available:

• A technology overview. The things we were working on for technology.
• A blog for each of the principals. Not that we always updated it, but we tried.
• Resumes for each of the principals.
• Some amount of changing content on the front page. In our case we had company news, security news and virus outbreaks.
• Technical notes. These were observations on technology longer than a blog entry. We did some nontrivial analysis of various Java technologies that ended up in here.
• Downloads. We maintained a few free utilities for people to download that showcased some of our technology.

Based on this web presence, we were contacted several times with various offers, ultimately selling the technology to Sendmail, Inc. and taking full-time positions there working on the code. Now the product (Mailstream Manager) is going gangbusters under the Sendmail flag.

This is the second time we've done this kind of deal. The first time was pre-Google in 1996, so it was more of a "loud startup with good industry networking" since you couldn't STFW as effectively in those days ;). This technology is still in use today in products from Tumbleweed Communications.

Getting back to this "Do Stealth Startups Suck?" theme -- our personal perspective is that if it's so cool that you have to keep it a secret, then it isn't very cool at all. If you can't maintain an edge even if the other guy knows exactly what you're doing, then you don't have an edge. We call this the "True Lies" approach -- at the end of True Lies, Schwarzenegger explains exactly his plan for escaping from the guy who's gonna torture him, and despite the fact that the guy knows the exact plan, Schwarzenegger is able to execute it and escape.

The reason this is so important is that if all the source is openly available, nobody can make it go away. It's essential to avoid "drug dealer marketing" - the first one is free, but then it's going to cost you. There have been too many products that started out "open", and then started to cost money once they had users locked in.

The typical progression for psuedo-free software is

• The product is free for download. A user community emerges.
• A new version comes out, with modest restrictions and price, and the free version is deprecated.
• The free version disappears.
• The price goes up, and copy protection is added.
• Market share declines.

Examples are Intellicad, Sendmail, and QNX

Sendmail has a commercial product with a bunch of features for people who like that sort of thing.

Course their pricing is off the wall.
I couldnt believe the FUD their sales skunks were telling the windows fools in my previous job.

I convinced the company to save the $Kash and we went with the standby from sendmail.org.

LOL.

Here, have a clue on the house. The people who run sendmail.com? It's CTO is the original author of sendmail. How's that for making money writing open source software?

As for redhat, are you saying that having someone who knows how to make 50 software packages work together across 2000 seats in an enterprise situation isn't worth the price of admission to Red Hat Enterprise? Do they need to have written all that software themselves in order to make money off of it? Apparently not, or they'd be out of business.

Not to mention you're completely overlooking the fact that they wrote rpm and dozens of other tools that make their job as support as well as the actual administrators' jobs that much easier.

Sendmail Inc. http://www.sendmail.com/ is a commercial company that provides an open source Sender-ID (sid-milter) http://www.sendmail.net/ for Sendmail and provides Sendmail source code to the Sendmail Consortium http://www.sendmail.org/. The Sendmail Consortium maintains the open source version of Sendmail (from source code provided by Sendmail Inc.) and does not support Sendmail sid-milter. Guess which Sendmail entity (.com or .org) wins any arguments?

Otherwise, I run my own mail server with blacklists and SPAM filtering, further filtering with my mail client, leaving me very few junk mail messages to actually deal with. As far as I know, no false positives have been lost. The server ignores suspected servers, andthe spam filter throws away any high-scoring mail, leaving low-scoring spam for the mail client to handle, which gives me a chance to find mail I would want to keep (very, very, rare), tossing the rest in the trash can so I can peruse them.

I have a web mail client, too, so I can check in from anywhere I can't fire up my client or shell in.

Also, I don't worry about space. I'm casual (OK, lazy) about deleting mail, and after several years of not deleting what should probably be deleted I've only accumulated a couple hundred MB of crap. (Yes, it's sorted automatically into folders by sender or content.) That includes old "let's have lunch" announcements as well as mail with large attachements. The server's got another 50GB of space on it (slowly being eaten by web server and mail logs), so I'm not too worried about running out any time soon.

1 GB would suffice and give me another few years to fill up. Then I'd probably have to get rid of those lunch invites from 1998...

Am I the only person thinking that the real Sendmail guys may be interested in these crooks? I'm pretty sure Sendmails and Sendmail are close enough for a trademark infringement.

The word "alliance" does not appear in the linked article.

The article only states "Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one."

The article on the Sendmail site says "By incorporating a selection of sender authentication technologies into these applications, Sendmail aims to significantly hasten the global adoption of mainstream authentication initiatives such as DomainKeys, recently introduced by Yahoo!, as well as proposals put forward by Microsoft and others."

A Sendmail press release, also released today, does mention the collaboration of Yahoo and Sendmail: "Sendmail, Inc., the global provider of electronic message management solutions and Yahoo! Inc. (Nasdaq: YHOO), a leading global Internet company, will begin testing the DomainKeys. cryptographic authentication solution in March 2004."

The word "alliance" does not appear in the linked article.

The article only states "Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one."

The article on the Sendmail site says "By incorporating a selection of sender authentication technologies into these applications, Sendmail aims to significantly hasten the global adoption of mainstream authentication initiatives such as DomainKeys, recently introduced by Yahoo!, as well as proposals put forward by Microsoft and others."

A Sendmail press release, also released today, does mention the collaboration of Yahoo and Sendmail: "Sendmail, Inc., the global provider of electronic message management solutions and Yahoo! Inc. (Nasdaq: YHOO), a leading global Internet company, will begin testing the DomainKeys. cryptographic authentication solution in March 2004."

What sendmail announced today is working with Yahoo's idea of DomainKeys:

Sendmail announcement

If you read the article M$ has no involvement with Sendmails work on this, they are just a foot note. But if you go to the commercial Sendmail site it says that they are helping to build Yahoo's DomainKey system.

I didn't see anything about collaboration with Microsoft, either. If you go to sendmail.com, though, there's a story about Sendmail working with Yahoo's scheme.

Yahoo & sendmail cooperating

<Open-Source Software is more secure because there are more people reviewing it.

Pretty bad argument for business. "So our security, and my job, relies on what people do in their spare time?"

No... your security, and your job, relies on what people do on their jobs. People who work for:

IBM

Sun

HP

RedHat

Mandrake

SuSE

Sendmail, Inc.

...and many more companies that support OSS. There was a point in time where OSS was largely written and maintained by people in their spare time; these days, there are people who have jobs that revolve around developing, maintaining and improving OSS.

There's still crud out there, of course. Remember Sturgeon's law: 90% of everything is crud. This goes for both commercial and open source software. You should evaluate OSS the same way you evaluate commercial software: who wrote it, what's their reputation, does it have the features we need, how stable is it, etc.

You wouldn't judge Microsoft's capabilities based on the kind of software that Sun produced, would you? Then why would derive your opinion of Apache, Sendmail, Bind, Linux, XFree86, BSD, KDevelop, Gnome and the like based on the fact that some other, completely seperate OSS project isn't worth dreck?

Give me examples of companies which make money primarily by developing and selling open source software. Companies that derive most of their income by selling hardware don't count. Companies that derive most of their income selling support services for OSS don't count. Companies which sell open source software that others developed don't count. Show me companies that developed open source software and then made money selling the same software for which the source is freely available.

Sheesh, you don't ask for much, do you? Sure you don't want to add any more special conditions to that list? :-)

Trolltech is probably the best example, and should be well known to Slashdotters.

Sleepycat Software has been around for quite a while. Someone mentioned it above, but I notice you didn't mention it in your response.

Sendmail - whether you bless it or curse it, it's still the biggest mailserver on the Net. The sheer complexity of the product is probably a big factor in Sendmail Inc.'s success in selling "commercial" versions (for which they also provide support). And yes, the original developer of Sendmail (Eric Allman?) owns/runs Sendmail Inc.

Thought it may be with Sendmail that they make more money out of their support contracts. And if you are a troll (possibly even if you're not), your next move may be to add an extra condition along the lines of "Companies that charge for commercial licensing of their product don't count," which would rule out Trolltech and Sleepycat, as well as probably quite a few others that I can't remember right now.

Though I'd probably think that the Trolltech/Sleepycat business model is the best option for an open-source-software company. At least when you're talking about software libraries that potential customers can only use by linking to - thus invoking either the "free" license (usually GPL-like) or the "commercial" license.

Now if there were a GPL-like license that came into effect when you just used the software... something like that might open a wider scope for a company developing open-source software that could have both a commercial (ie. pay-for) and a "free" license. Hmmm. Interesting.

Pete.

Actually, it hasn't been that long. The latest security problems in sendmail were found in March.

Sendmail isn't awful - but some of its code is old, it's complicated, and it's richly-featured. All of these things contribute to an increased risk of bugs and vulnerabilities. In those respects, it's similar to some of those products by "that corporation," except that sendmail issues timely patches and the current developers, at least, care about security from the outset versus considering it as an afterthought.

And can the sendmail developers be brave trailblazers and finally change the config file syntax to just text words like httpd.conf?

My main sendmail config file is a whole 32 lines long and includes SMTP authentication methods, blacklists, load avg checks, privacy options and of course the delivery mechanism.

The only thing I don't have that I've been thinking about adding is LDAP support, but that's only another line in my conf file and modification to where all the db maps point to.

I have trouble sharing your confusion in configuring something that needs so few options in a typical setup.

So beside the fact that sendmail is the standard, quite mature and very flexible if you know how to config it, does it have any big edge over postfix or qmail that everyone should know about?

Mmm, I would have thought being standard, mature and extremely flexible would be enough.

Just buy sendmail from sendmail.com if you don't know how to configure all those really advanced options like priority boosts for certain types of messages, different delivery paths based on if a message has attachments (virus scanners are too slow to handle all messages in big environments), quarantine of potential spam for manual review by administrators (very useful in companies), or manually tune outgoing queues to force sendmail to do MX lookups for up to 5 minutes 10 seconds before attempting to dequeue a message with more than 1000 addresses to reduce bandwidth usage (the same mail server handling multiple domains can send to two users using only one message body).

They give you a nice little GUI that makes everything nice and easy to configure. Not to mention a high availability solution and a stupidly high volume mail solution.

The only real way to learn about some open source projects, unless you are on the inside, is by buying a $50 book. For instance, Ted Husted's Struts book (struts is a java-based web application framework), recently reviewed here, is the only place to learn about certain of that project's features without spending a week or two in generate and test mode, in constant contact with email groups. Other projects are also this way (e.g., Tomcat, a java-based web application server). Arguably, apache itself has been this way for a while without officially saying so, and sendmail has been this way *officially* for years now.

The point made by sendmail is that they need a way to support development. People who are not willing to develop should pay those who are. I suppose the question is: "where does it stop?" Should the product be unusable without the paid for help. Maybe that's a spot where it would be good to establish some open source standards of minimal usability that is expected without pay.

The best protection is install the antivirus in the server. Most antivirus apps can run in linux.

amavis
will call the antivirus from postfix ,sendmail and others.

viralator
scan the files downloaded with the web proxy squid

Both are worth install.

I do not think a lot of the developers are going to take the time to answer a RFP in the depth that most software vendors or VARS would.

Open source people are not going to be paid for a "sale" were as the normal software vendors are competing for some money if they can make a sale.

He sends them a large bill - $15,000 - for his services, and someone in the Accounts Payable department says the bill is too expensive for what he did, and needs to be itemized. So he itemized his charges:

• Making chalk mark, $1.
• Knowing where to put mark, $14,999.

One can sell one's expertise in selecting software as much as one can sell one's expertise in creating it. Or one can sell other things. We sometimes miss this in our industry because it is extremely rare for someone other than the manufacturer of a software product to provide maintenance and support of it. But because a product is open source, a purchaser can find anyone who is capable of doing so to provide maintenance.

In about 50 miles I need to change the oil again in my 1998 Dodge Intrepid because it's been another 3,000 miles. I can do the work myself and perhaps save money, I can pay a third-party perhaps $12 to do it, or I can pay a little more, take it to a dealer of the car to do it. It's a commodity operation and I can get anyone I feel qualified to perform it.

With non-open-source you only have the last option when you need something done (if they even will do it; consider calling up Microsoft and asking for a customized change to Outlook. Better be prepared to either be a huge customer, pay a huge fee, or suck air). With open-source you can get your hands as dirty as you want or you can pay someone else if you don't feel competent (or your organization doesn't have the direct ability) to make the changes. You have choices.

An RFP has some type of reward (sale) possible to the winner for them to spend time on responding to it.

A RFP is a request for proposal - A proposal for what? A proposal is a first step toward a contract. A contract with who? Who will get paid? I do not think a RFP process will get you very far.

For an open source product the cost of the software will be zero.

What is the cost of water these days? I can get it for free from a water fountain, perhaps pay almost nothing for a quart of water out of the tap, perhaps pay $20 for a filter every couple of months if I don't like the taste of tap water, or perhaps pay anywhere from 50c to $3 for a bottle of it in a store. That does not ignore the fact that the original price of the water was probably in the neighborhood of 1/10 of 1c per gallon from a public utility or a municipal water district. For all intents and purposes the original price of the water might as well be considered 'free' yet that doesn't stop companies from making money 'selling' water that cost them next to nothing to obtain.

Perhaps the customer pays for having the supplier provide and deliver 20,000 CDs of the software to sites so everyone has a copy instead of clogging network usage downloading it from servers. Or pays for a customized installer where the original product didn't have one or it's too complicated. Or pays for special services to go with it, like paying not only for the software but having someone write documentation. Or train people in how to use it. Or train their technical staff in how to support it. Or doing the support themselves. Or that the customer pays the supplier for finding the precise package that best fits their needs because the supplier knows what products are better for their particular circumstances.

Support and maintenance I guess would be in-house.

Let's say the Sixth National Bank wants to stop paying for Microsoft Exchange as their mail server and client licenses for Microsoft Outlook. I offer to provide them with an equivalent functionality using a Linux box running QMail (let's say that they want a highly reliable e-mail system so that eliminates use of Sendmail) and include for the client end some Windows port of an open-source client or group of clients that originally ran on KDE or GNOME, for less money than it would cost to have one person at the bank to maintain it because the maintenance I can offer on an as-needed basis to several companies.

The bank has people who could do the work inhouse but they are better suited handling the stuff that is the bank's core expertise (handling checking accounts and the billing of outrageous fees on those checking accounts), and the bank can pay me to provide them with updates and added functionality without having to have people doing work that isn't part of their core competency, BUT with the additional advantage that since the product is open source if I decide to quit, they can find someone else to do it or they could do it themselves if they choose to do so.

What's left then is comparison of different capabilities. This becomes a request for comments now (RFC).

A suggestion change here. Maybe send a RFP to consulting firms on helping you with project(s). A selected firm could help in gathering requirements, research products, help in the installation and maintenance ... If you trying to spend money anyways. :)

Paul Robinson <Postmaster@paul.washington.dc.us>

Nitpick, Sendmail has a large commercial side. And numerous companies have commercial offerings "below" (RedHat Linux) or "from" (commercial webservers based on Apache) a project that kick back varying degrees of support to the open source development.

Emeryville, Calif. - August 27, 2001 - Sendmail, Inc., a leading provider of Internet messaging solutions, announced today the immediate availability of its complete line of products for Linux on the IBM mainframe. Sendmail Switch, Sendmail Advanced Message Server and Sendmail Mobile Message Server ...

I've gone through this situation in several discussions for mid- and large-scale operations. Your answer will somewhat depend on how much money, time, and work you want to put into this system, with the usual tradeoff of ( more dollars ) = ( less ( time + effort ) ).

For a free solution, I've found that a sendmail-based solution works quite nicely on Solaris. We ran some internal mailservers with a combination of sendmail for smtp, qpopper for pop3, apache and php for web access, and ActiveState PerlMx for mail filtering. There are many passable imapd programs that would fulfill your IMAP requirement, among other things, cyrus imapd

Don't be fooled, though; this took some elbow grease, and a little tweaking with sendmail and qpopper (mostly for the remote-administration bit; you don't want all of your customers in /etc/passwd on your server!)

If you'd prefer to just lay down a little cash to get a working solution out the door, Openwave has a very reasonable email platform or two. It seems like it supports everything you're looking for, above.

Also, don't forget that Sendmail, Inc. creates some very sophisticated sendmail-based products; it looks like Advanced Message Server may have all of the solutions you're looking for.

Speaking as somebody who works for one of iPlanet's competitors (Sendmail), I've come across several people who have installed it and none of them seem to like it very much.

For groupware, the only real competitor to Exchange is Lotus Notes. If you just want an IMAP mail server, there are loads in existence (including ours), many of which are open source. There are also separate calendaring suites if you want that functionality.

Internet Explorer. IE started life as Mosaic, one of the original browsers. Like all of the origninal browsers, Mosaic was open source. Microsoft bought the browser idea from its Open Source inventors.

Apache. This is the direct descendant of the original web server (it too was open source), and it dominates the web. Microsoft has tried to copy Apache's functions, but has had a tough time keeping up with Apache's pace of innnovation.

sendmail . Essentially all of the email that goes across the internet does so thanks to sendmail. The orginal (open source) developers now also run a company, but the orignal accomplishments all happened open-source.

BIND The Internet works on IP addresses (eg. 135.23.43.121). Any time you type a URL (letters) into your browswer, you are using BIND. This was invented open source (the B is for Berkely).

TCP/IP These are the two protocols (among others) that make the internet possible. In a sense, they define what is "internet." Developed and implemented open source

Eric Raymond addresses "creativity" issues in his essays.

Having gone back and re-read a bunch of information, I can tell you:

• Sendmail Pro difintely currently has TLS.
• Sendmail 8.11 betas have TLS support.
• These guys have a TLS wrapper for existing sendmail installations.

So I jumped the gun a bit on BSDLed sendmail having TLS - it will RSN, or you can use a wrapper. On the upside, I was also wrong about zmailer, who apparently have TLS now. Encrypted linux-kernel anyone?

I noticed he talks about his business models. Many people, usually the Free Software guys, are a little put out by this by confusing Open Source with Free Software. There are three known ways to make money with an Open Source software project. This information is gathered from "The Open Source Revolution" by Tim O'Reilly.

1) Branding and Distribution Selling the package, documentation and support with an Open Source product. Also called "Support Selling" or "Redhatting".

2) Addition of Proprietary Value

Providing an Open Source project/product to the community and selling additional features to make the product better. Sendmail is a good example of this.

3) Make your Money on the Side

The Open Source project/product is used as a value addition or as a promotion for the company owning the project. In hopes of the project being more popular through Open Source, the creaters would gain credability and popularity. Netscape controlling Mozilla is an example of this.

Looks like model number 2 is being used by our friends at ReiserFS. Nice to see some people adopting another model besides Redhatting.

Right on! Every true free software monk knows that money is the root of all evil. Let's break down how the evil has grown over the years.

Linus Torvalds, cute, cuddley, penguin-looking fellow. What does he want? World domination. What does he wish have said domination? Linux[tm]. What's that "tm" stand for? Transmeta, which is a company. World domination will only benefit Transmeta. Linus is but a pawn. Boycott Linux.

Richard Stallman, a lovely character with a front as high priest of the Order of Free Software. He has been known to take donations. What do donations consist of? Money. What is the most evil substance on this planet? Money. This high priest is a charleton, I say! He is as evil as the rest!

Apache, everybody's favorite open source web server. What is the Apache Software Foundation? According to their FAQ, a "not-for-profit corporation." What do they d? Take donations. Another group whose purpose is not to make quality free software, but to create DonateWare. This, my friends, we do not need. With 60+ percent of the web server market, I fear them more than Transmeta.

Sendmail, the ever popular mail transport agent with an odd name. Right on their front page, it says "sendmail[tm]." (Sorry, Slashdot doesn't allow the SUP tags like the page has.) Obviously they are in cohorts with Linus and his merry band of power-mad mind controllers. What do they do on the side? Sendmail Pro. Which this create to bring in what? Money. Tell me once again what is the most evil substance on this planet? Money.

Can I get an "Amen!?"

Miguel de Icaza, creator, dictator, and zoo keeper of many GNOMEs (you know who you are). Why did he create them? Hatred for KDE/Qt. What's he turned the crusade into? Helix Code. (What's up with the first sentance on that page, "leading open source desktop company?" I'd like to see the study that concluded that. Why does ever company have to declare themselves the leader of a one-contestent contest? I'm the leading free software development specialization operation in my apartment, who the heck cares?) What did he create Helix Code for? So people would "Buy Helix GNOME".

I could go on and on. But my point is all software we once thought would be pure has gone the way of the dollar. It truely saddens me to see this happen. Therefore, I call upon all true free software artisans to join me on a tiny desert isle to be named shortly where we will grow our own food, choke our own chickens, and code pure free software. You see, living in places like the United States, Europe, Germany, there are just too many temptations that require money, houses, cars, beer, women. Therefore we will do away with all these in the name of pure free software. Only then can we be one with the computer. Who's with me?

FYI, this may be a little offtopic, but anything to stop these damn viruses. For you sysadmins, here is howto setup a sendmail rule to prevent the ILUVYOU virus from being circulated.

Shoot! I just replied to the top before I saw this. Sendmail, Inc. has a configuration feature which does essentially what you've suggested here. Details can be found here.

Sendmail, Inc., has posted a blocking configuration feature that enables sendmail mail servers to stop the "ILOVEYOU" virus from entering your computer network at the server level. This feature works on all versions of sendmail 8.9 and above.

You can find the details here.

If administrators add this feature to their sendmail gateways, it will slow the spread of this virus over the Internet.

Sendmail, Inc., has posted a blocking configuration feature that enables sendmail mail servers to stop the "ILOVEYOU" virus from entering your computer network at the server level. This feature works on all versions of sendmail 8.9 and above.

You can find the details here.

If administrators add this feature to their sendmail gateways, it will slow the spread of this virus over the Internet.

You're both sorely in need of catching up with the program:

RFC 2246 defines (and has for well over a year now) the protocol, and the latest commercial releases of sendmail implement it.

So does the Sun Internet Mail Server

Finally, Weitse Venema's postfix MTA has a freely-available TLS patch that implements SMTP encryption for those of us who don't want to pay for it.

There's even an RPM available.

Postfix, BTW, which used to be called vmailer, is the IBM Alphaworks free MTA project that was covered here in /. back in the day.

As, indeed, was this entire portion of this thread.

--

Even if Red Hat goes bankrupt tomorrow, all their code will be around for anyone to use. And just as importantly, their code will not be used in a way that is harmful to the Open Source communitiy, such as in a closed source distro by Microsoft or another giant corporation. Why? Because of the GPL.

The commercial BSD vendor, Berkeley Software Design, Inc., and Eric Allman's companym, Sendmail, Inc., share several characterics. (Note: I may be wrong about some of the following. Corrections welcome) They both started with free software. They both added proprietary enhancements. The both sell their value-added product as a revenue source. Both give you source code to the product you bought. And both forbid you from redistributing that source or changes to it to those who don't hold a licence.

Two critical questions are:

1. What's the current technology transfer? To what extend do corporate BSDI enhancements return to the free BSD distributions?
2. If these companies go down, what happens to their code? Licence holders still have the source, but so what? Is it dead?

To add one more pair of companies to the stack, consider John Ousterhout's TCL-based Scriptics company, or the Canadian Perl-related firm, ActiveState. My understanding is that there's more technology transfer between these two companies and their core free software roots than might be immediately obvious with the previous pair. I cannot really speak of the TCL world, but in the case of the Perl one, that firm funds not only the salary of the Perl release manager, they also fund development for porting to non-free systems. For example, they've made Perl's fork() call work "right" on Microsoft systems (actually, Microsoft paid for that work!) and have immediately returned those corporately funded enhancements back to the world of free software.

Yes, that means that the current developer release of Perl, version 5.005_63, supports fork(2) with Unix semantics even on Microsoft. Hurray!

If you want other mixed-mode business models, think about Alladin Ghostscript. The interesting issue of licensing is covered in the FAQ. There's also Sleepycat Software, whose database product, Berkeley DB, was used in Netscape with neither credit nor compensation, thus triggering a good bit of bad blood on the authors' parts because of lack of public recognition and appreciate for their work. The resulting `poison pill' licence seeks to avoid a repeat of this unpleasantry.

Now, we have in contrast to those situations, look at companies that are making a business, or trying to make a business, out of GPL'd software. The two most obvious examples, RHAT and LNUX, are hardly typical cases due to their current market valuations, which are obviously astronomically overvalued. But even in their cases, you'll find things that aren't what you would call "free software". In fact, they aren't even open source; look at the way Redhat ships "demo versions" of things without source. Now, I would be willing to argue that this is in fact a good thing because it shows people that Redhat's operating system is a viable platform for traditional licensed software. Others, however, dispute this, pointing out that that software would be orphaned if the company who produces it were to die.

My point is that I believe we now have a sufficiently long list of corporate endeavours which are based, at least with respect to some definitions of the term, free software. That means we have actual cases to look at, not hypothetical cases. I'm sure I've only named a couple of them here. What about other companies? I'm not talking about simple packagers and distributors. I mean firms that do serious development work based on free software. (I would mention Cygnus, but they've recently become an acquisition by Redhat.)

Do we have examples of companies that have died or otherwise abandoned their work in these areas? The university Ingress experience and Britten-Lee? Can we come up with other examples to look at? What has happened to the product of their work? Has it truly gone the way of all things, or did humanity derive some benefit from it?

Everybody knows ... sendmail is GNU.

Effugas wrote:

While the original developer retains the right to use his own code in closed source software, I do not believe that he(or she) may use submitted code in that software--at least not under the GPL license.

Technically, you're right, but to a certain extent it depends on the project. If a person submits code to a software project that is distributed under a particular license, it is traditionally assumed that the submission is also under that license (unless explicitly otherwise). The only person who can change the license on code is the copyright holder. Small patches contributed to a larger work are often considered as being copyright assigned to the holder of the large work by default. Most big projects which care about copyright (eg. GNU or CygWin) ask for a formal assignment of copyright when you submit a significant amount of code. When you assign your copyrights to someone else, they can legally change the license at will.


Sendmail, of course, is not(to my knowledge) covered under GPL, so that probably explains why its makers can use publically submitted patches in a private product.

Until recently, Sendmail was under the BSD License. This license has always been interpreted that you can redistribute BSD source or binaries under any terms (i.e. license) you wish, provided the specific conditions of the BSD license are also met. As of version 8.9, Sendmail, Inc is supporting three versions of Sendmail, each under different license, each license includes the BSD conditions.


An interesting contrast can be drawn with closed source software, which increasingly is including time limits on usage in the fine print. While you can never lose the right to use OSS software, certain popular programs are legally limited to only twenty five to thirty years of usage.

Yeek! Do you have an example of such a license?

Does anyone know of any other sites with these people (or others of their ilk) discussing the underlying framework of the free software/open source communities?

FYI - there are other comments on the feedmag site that /.ers might find interesting.

bnf