Slashdot Mirror

Read his license and see for yourself.

For people looking for an easier and as of now more secure implementation for DNS you might want to check out tinydns, part of djbdns by the famous (or infamous) professor and programmer Dan Berstein.

DJBDNS has never had a security hole discovered and plenty of people frequently evaluate his sourcecode.

The one gripe people have with his code is that he hasn't GPL'd it or even opensourced it. What he has done which is slightly more interesting is just released it with NO license and instead just asserts ownership over his codebase. If it doesn't bother you that it isn't GPL or BSD, etc -- check it out and help make the net's DNS servers safer and more secure.

We run it at EveryDNS.Net and haven't had a problem with it yet.

I can't comment on register.com but at EveryDNS.Net we found bind to be too much of a risk to run for our servers. In the long run, DJBDNS has proven to not only be secure but also far easier to setup, administer as well as write parsers for.

Already available is djbdns, written by D. J. Bernstein with security as a design goal. In fact, he offers rewards to anyone who can find a vulnerability.

Already available is djbdns, written by D. J. Bernstein with security as a design goal. In fact, he offers rewards to anyone who can find a vulnerability.

I have a solution for at least the BIND problem:

Use DJBDNS!

The webpage may be humble, but the software kicks all kinds of ass. BIND is garbage. It represents the worst that the UNIX world has to offer. Having been victimized by it's insane configuration mechanisms and it's unbelievable insecurity and then experiencing djbdns' super-easy set up and rock-solid stability I'm never going back.

Also OpenNIC is an ICANN indepent root system ... why not just use them instead of ICANN?

I'm also surprised about KDE 2.2, since KDE 2.2.1 has been out for quite a while now. The same goes for the kernel version (2.4.7), and a few other things. Didn't RedHat used to have more recent things in their earlier distributions?

/Basic

Perhaps you should write a daemon to check for daemons and restart them if necessary. :P
It is called 'supervise' and comes with daemontools.

Physicists have actually started bypassing the reviewing/printing system by putting up arXiv.org long ago. Mathematicians have then followed, and other scientists are starting doing it now. Daniel Bernstein has some very useful advice for authors at his web page at http://cr.yp.to/bib.html.

"Is your solution then to abandon C? "

Wait wait wait. Did I write anything like this? No I did'nt.

The solution is to use a dynamic string handling library. For example, DJB's. But there ought to be a standard alternative.

"Of course. But it's a basic tool. Not testing your code is much worse than using string functions. I mean BOTH unit tests and system tests."

Hey, it's YOU who implied that testing removed the need for dynamic strings.

too bad there's not a section on ezmlm, the mailing list manager for qmail

http://cr.yp.to/ezmlm.html

Yes, Dan Bernstein has been running surveys of SMTP servers.
-russ

I applaud Theo's decision, even if it does happen to piss a few people off; maybe now DJB will realize how much his licensing ideas suck, and change them.

That's a good one. Just about knocked me off my chair. No, DJB has some strong opinions regarding copyrights and licenses, and I doubt he is going to change them anytime soon. Maybe a US Supreme Court decision on the validity of software licenses would make an impact. And maybe the world would be a better place if the Supremes agree with him.

However, as an OpenBSD and qmail user, I'm distressed about all of this politics. And frankly, I've never liked having things like /var/qmail/bin kicking around, just because DJB is concerned about servicing installations that NFS mount /usr. Why is that my problem?

I'm wondering if it is possible to create free software versions of DJB's projects, so people can benefit from his excellent design decisions without having to deal with his whacked-out directory policies.

I suspect the correct way to go about this is to perform a clean-room copy of his work, where one person (or team) documents the way his software works, and someone else implements what was documented. Isn't that a valid copyright circumvention technique occasionally used in the hardware world? I can't find anything at google.

Do you think that Theo and his merry band of bandits would really convince Bernstein to change his license? After all, the FBI and the NSA fucked with Bernstein, and last time I checked Bernstein was winning (as much as you can against those guys). See the whole shebang at http://cr.yp.to. (Ok maybe not, but he is still fighting).

Heck, I've toyed with writing a proof of concept *nix verison of Code Red using wu-ftp vulnerabilities, rpc.statd vulnerabilities, telnetd vulnerabilities, sendmail vulnerabilities and even BIND vulnerabilities.

wu-what? Don't run that thing.

rpc.statd? Nup, not here.

telnetd? Surely you jest!

sendmail? Ha ha! You must be kidding. qmail (Most people in my LUG run qmail, Exim, or Postfix.)

BIND? Not here.

So tell me again ... what was the worm exploiting?

Just like with Code Red attacking IIS, the daemon affected had somehow escaped Quality Assurance without being properly checked (as most of the above software has also) and shouldn't have been run.

Yeah, DJ Bernstein, author of qmail and djbdns, has put in a lot of thought into overhauling SMTP. Check it out.

Yeah, DJ Bernstein, author of qmail and djbdns, has put in a lot of thought into overhauling SMTP. Check it out.

Yeah, DJ Bernstein, author of qmail and djbdns, has put in a lot of thought into overhauling SMTP. Check it out.

I use nothing but Qmail. Its own programs don't even trust each other, much less the outside world. Qmail even offers a Security Guarantee - I'd like to see Sendmail do that...

But on topic, I think the port is cool anyway. I'd personally love to get ahold of an S/390, and run about 40 virtual Linux boxes within it. If someone owns one of the virtual boxen (via a Sendmail sploit for example), I suppose it'd be easy enough to clean up...

Home systems (like mine) DO need bind. I can cache lookups here and browse quickly, or wait forever for my @home name server to respond. BIG difference.

djb fixed all the BIND security flaws long ago. It is called djbdns.

According to http://cr.yp.to/distributors.html, the djbdns license does NOT allow modification of the source code (even when the product is released under a different name) and therefore breaks freedom 1. Besides, BIND 9, despite the name, is not based on the BIND codebase at all; it's a complete rewrite and shouldn't have the same security holes.

When people say SMTP is broken, the lack of trust management is what they're referring to. The inherent brokenness of SMTP is that it delivers just about anything that shows up on port 25.

We need something like D. J. Bernstein's proposed Internet Mail 2000 system.

Large mail servers would need massive CPU power to do the necessary public key cryptography.

This turns out not to be the case. Bernstein's hash127 package checksums a 64-byte string in 500 clock cycles on a lowly Pentium 166 This is over 300000 checksums/second. Read more in his paper Floating-point arithmetic and message authentication.

When people say SMTP is broken, the lack of trust management is what they're referring to. The inherent brokenness of SMTP is that it delivers just about anything that shows up on port 25.

We need something like D. J. Bernstein's proposed Internet Mail 2000 system.

Large mail servers would need massive CPU power to do the necessary public key cryptography.

This turns out not to be the case. Bernstein's hash127 package checksums a 64-byte string in 500 clock cycles on a lowly Pentium 166 This is over 300000 checksums/second. Read more in his paper Floating-point arithmetic and message authentication.

When people say SMTP is broken, the lack of trust management is what they're referring to. The inherent brokenness of SMTP is that it delivers just about anything that shows up on port 25.

We need something like D. J. Bernstein's proposed Internet Mail 2000 system.

Large mail servers would need massive CPU power to do the necessary public key cryptography.

This turns out not to be the case. Bernstein's hash127 package checksums a 64-byte string in 500 clock cycles on a lowly Pentium 166 This is over 300000 checksums/second. Read more in his paper Floating-point arithmetic and message authentication.

When people say SMTP is broken, the lack of trust management is what they're referring to. The inherent brokenness of SMTP is that it delivers just about anything that shows up on port 25.

We need something like D. J. Bernstein's proposed Internet Mail 2000 system.

Large mail servers would need massive CPU power to do the necessary public key cryptography.

This turns out not to be the case. Bernstein's hash127 package checksums a 64-byte string in 500 clock cycles on a lowly Pentium 166 This is over 300000 checksums/second. Read more in his paper Floating-point arithmetic and message authentication.

Dan Bernstein is working on something like that. See his website for his ideas on how to do it, at the end of the page following his rant about DNSSEC.

The idea is simply to give each computer a name that includes the computer's nym, a fingerprint of the computer's public key. Other computers then discard DNS records for these names if the records aren't accompanied by signatures under the corresponding public keys.

My top priority for djbdns is to support nym-based security.

Dan Bernstein is working on something like that. See his website for his ideas on how to do it, at the end of the page following his rant about DNSSEC.

The idea is simply to give each computer a name that includes the computer's nym, a fingerprint of the computer's public key. Other computers then discard DNS records for these names if the records aren't accompanied by signatures under the corresponding public keys.

My top priority for djbdns is to support nym-based security.

PINE is not really part of the problem, and attempting to villainize them is wrong in my opinion. They make a program. As a user, you can download it, you can hack the source, you can use it. You simply cannot distribute changes to the source. This is essentially the same terms as DJB software packages such as qmail, djbdns, and publicfile.

The prompting of RMS to found GNU has been reported as the failure of a printer company to either fix their driver or allow RMS to see the source to fix it himself. Ask yourself, if they had allowed him to fix the driver for himself, but had insisted that he send his changes back to them for redistribution, how bad would that world be ? (That sentence is pretty awful - I feel kinda like Dubya).

I would MUCH rather see distributions like Debian allow the distribution of binaries or source for PINE in a non-free section. There oughta be a category for software like this. The criteria are that the author provides a copy of the source that the user owns in the copyright sense, and that nothing more than standard copyrights are allowed. This is a stark contrast to EULA contractually governed packages, and should not be categorized and villainized in the same manner.

There was a time, around when PINE was written, in which the vast majority of open source programs gave you a copy in the copyright sense, and no more. This gets you MOST of the way from an EULA-type agreement to a GNU type agreement, but not all the way.

BTW, I use mutt mainly because I HATE pico. PINE never included the functionality to plugin your own editor. You have to use pico first, and then exit to your own editor. That is a bad design, and I cannot fix it for others - only U Wash can.

3) What about the GPL? Well, what about it? Nothing Caldera is doing violates the GPL (at least, I can't prove it).

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

(more from the GPL)

You may not impose any further restrictions on the recipients' exercise of the rights granted herein.

It seems to me this is clearly not allowed under the GPL. However, the above quote includes the word 'herein' - meaning in the GPL. The GPL specifically states:

Activities other than copying, distribution and modification are not covered by this License;

A strange situation occurs (based on the information I have now): Caldera disallows use of their softare on more than one system, but it does not disallow redistribution. Much like 'shareware' licenses, which allow free distribution of the software, but use is limited.

Some people have argue that once you've obtained the software it's yours to do with as you please, but to redistribute the software (modified or not), you have to have permission from the copyright owner.

I don't think Caldera's model can survive. It can only work if none of the copyright holders decide to sue Caldera, and they actually have a much better distribution (to compensate for the loss in goodwill).

If this holds up, however, there is no longer any added value to the GPL versus some of the less restrictive licenses (BSD/MIT/X11 etc).

Now lets talk about your claims.

Here's what DJB says about software licenses:

What does all this mean for the free software world? Once you've legally downloaded a program, you can compile it. You can run it. You can modify it. You can distribute your patches for other people to use. If you think you need a license from the copyright holder, you've been bamboozled by Microsoft. As long as you're not distributing the software, you have nothing to worry about
Emphasis Added....

DJB gives his software away, but he retains the copyright. You don't have the right to distribute copies of his software to other people unless he gives you that right.

That being said, he explicitly gives you the right to distribute or copy his software here:

You may distribute copies of qmail-1.03.tar.gz, with MD5 checksum 622f65f982e380dbe86e6574f3abcb7c.
Vendors: I'd be interested in hearing about any CDs that include the package, but you don't have to check with me if you don't want to.

DJB does not LICENSE his software because he knows that a "software license" is legalese bullshit. It's a manufactured concept that doesn't really exist. Federal copyright law (in the US at least) is the "controlling legal authority."

How can you have a problem with someone retaining the copyright to their work?

The GPL is a legalese response to a situation that shouldn't really exist. It's unfortunate, but when you release the source code to your software, unscrupulous people will take that code and do what they want with it. the BSD and GNU "license" are not "software licenses" in the same respect that Micro$oft's shrink-wrap "license" is, they are a standard "distribution terms" from a copyright holder.

DJB's software is free in every sense of the word. You can obtain it gratis and you are "free" to modify it however you wish as is the right of every owner of a copy of a piece of software. You even have the right to give away or sell copies (yes sell!) of DJB's software. You can modify and patch his software as much as you want, but in order to continue to have the right to distribute the software freely, you must keep your work separate as a patch. Alternately, you could just ask the copyright holder for permission to distribute a modified version of his software as a precompiled binary. Assuming that you don't break DJB's compatability directive you'll probably be granted that privilege.

The GPL is no less restrictive when it says that you must release the source code to your modifications to a GPL'd piece of software.

Now lets talk about your claims.

Here's what DJB says about software licenses:

What does all this mean for the free software world? Once you've legally downloaded a program, you can compile it. You can run it. You can modify it. You can distribute your patches for other people to use. If you think you need a license from the copyright holder, you've been bamboozled by Microsoft. As long as you're not distributing the software, you have nothing to worry about
Emphasis Added....

DJB gives his software away, but he retains the copyright. You don't have the right to distribute copies of his software to other people unless he gives you that right.

That being said, he explicitly gives you the right to distribute or copy his software here:

You may distribute copies of qmail-1.03.tar.gz, with MD5 checksum 622f65f982e380dbe86e6574f3abcb7c.
Vendors: I'd be interested in hearing about any CDs that include the package, but you don't have to check with me if you don't want to.

DJB does not LICENSE his software because he knows that a "software license" is legalese bullshit. It's a manufactured concept that doesn't really exist. Federal copyright law (in the US at least) is the "controlling legal authority."

How can you have a problem with someone retaining the copyright to their work?

The GPL is a legalese response to a situation that shouldn't really exist. It's unfortunate, but when you release the source code to your software, unscrupulous people will take that code and do what they want with it. the BSD and GNU "license" are not "software licenses" in the same respect that Micro$oft's shrink-wrap "license" is, they are a standard "distribution terms" from a copyright holder.

DJB's software is free in every sense of the word. You can obtain it gratis and you are "free" to modify it however you wish as is the right of every owner of a copy of a piece of software. You even have the right to give away or sell copies (yes sell!) of DJB's software. You can modify and patch his software as much as you want, but in order to continue to have the right to distribute the software freely, you must keep your work separate as a patch. Alternately, you could just ask the copyright holder for permission to distribute a modified version of his software as a precompiled binary. Assuming that you don't break DJB's compatability directive you'll probably be granted that privilege.

The GPL is no less restrictive when it says that you must release the source code to your modifications to a GPL'd piece of software.

You can copy and hack the source as much as you like.

No, you can't. The distribution terms (aka: LICENSE) specifically state that you can not.

The distribution terms specifically state this:

You are free to download the software from my web server; you then own that copy of the software, and you are free to compile it and run it.

In any case, I specifically said, "The only real restriction is on the distribution of binary packages: They must operate the same as a user would get downloading and compiling the source themselves." Yes, that means you can't distribute modified binaries. So what if you patch qmail to use localtime instead of UTC? Are you distributing binaries? Unlikely. (About as likely as finding a buffer overflow in any DJB code, and that approaches zero.)

You can copy and hack the source as much as you want. What you can't distribute the results outside of your own organization and call it djbdns. Lots of people distribute patches for various odd things, especially for qmail. And there are also qmail RPMs and djbdns RPMs. Maybe you should be reading FAQs...

You can copy and hack the source as much as you like.

No, you can't. The distribution terms (aka: LICENSE) specifically state that you can not.

The distribution terms specifically state this:

You are free to download the software from my web server; you then own that copy of the software, and you are free to compile it and run it.

In any case, I specifically said, "The only real restriction is on the distribution of binary packages: They must operate the same as a user would get downloading and compiling the source themselves." Yes, that means you can't distribute modified binaries. So what if you patch qmail to use localtime instead of UTC? Are you distributing binaries? Unlikely. (About as likely as finding a buffer overflow in any DJB code, and that approaches zero.)

You can copy and hack the source as much as you want. What you can't distribute the results outside of your own organization and call it djbdns. Lots of people distribute patches for various odd things, especially for qmail. And there are also qmail RPMs and djbdns RPMs. Maybe you should be reading FAQs...

You are so wrong about djbdns... Read Dan's Frequently asked questions from distributors. The only real restriction is on the distribution of binary packages: They must operate the same as a user would get downloading and compiling the source themselves. You can copy and hack the source as much as you like. In fact, there is no license because Dan doesn't think you need one; read the links on the page.

And yes, I checked carefully that the problem had been fixed. The only way you can relay mail through my mail server is if you're a customer of mine and you have a fixed IP. And I've cancelled more than one user for their failure to abide by my stringent anti-spam policy. I am definitely not a spam-friendly host.

In the end, I finally purchased an additional, similar domain name, and spent several months getting my listings changed on the major web indexes. I've since met several other sysadmins who've had similar problems with the MAPS RBL.

The RBL system is a lot like Paul Vixie's other slipshod product, BIND: buggy, unreliable, and maintained by people with a total disregard for the people they purportedly serve. Unfortunately, while I can replace BIND with djbdns and get a product designed by a competent and ethical (if rather obnoxious) programmer, there's not much I can do about the RBL without a lawyer.

Screw spam. And screw Paul Vixie and his arrogant, incompetent, negligent cohorts, too.

DNS protocol standardization takes place on the censored namedroppers mailing list. Vixie has had a large involvement in DNS, and I believe he even hosts the mailing list.

Have a read at Dan Bernstein's attempts to raise important issues on this list that are routinely censored:

http://cr.yp.to/djbdns/namedroppers.html

Through a strange coincidence, it seems that plenty of problems I've read about center around or close to Paul Vixie. It's impossible not to have contempt for him at this point. Does he try??

He is involved or responsible for projects which have/had shown significant problems: Vixie Cron (security holes), BIND (security holes), DNS standardization (security holes, censorship, bloated/redundant features), Blacklisting (mis-filtering or abusing filters), etc. This is too weird.

That isn't how I read the license for qmail.

Quoting: If you want to distribute modified versions of qmail (including ports, no matter how minor the changes are) you'll have to get [djb's] approval.

And there have never ever not once not even no no been holes discovered in qmail or djbdns, so rushing out a security fix is not something to expect. Check the age on some of those packages. They are from a long time back, and they are still the current release.

There seems to be a lot of confusion about the license Dan puts on his programs and whether this license is Open Source.

Section three of the open source definition requires that derived works are allowed:

The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.

Contrast this to this excerpt of Dan's license:

You may distribute a precompiled package if installing your package produces exactly the same files, in exactly the same locations, that a user would obtain by installing one of my packages listed above;

I hope this clears up any confusion people may have with whether Dan's license is open source.

- Sam (Posting this at one since this is a rather heated discussion)

Read the licenses of djbdns and qmail, and you'll see why we can't ship them: If a hole is discovered, we're not allowed to distribute a fixed version in binary form.

And the chances of qmail or djbdns having holes in is...? Anybody...? Approximately zero, I'd say. For people that don't know, the author guarantees cash rewards to anybody finding exploitable code in his software. The code is very very easy to audit, since most of the programs he writes are as small as they possibly can be (and split up into separate, mutually distrusting binaries), and use none of the standard I/O or string handling functions because djb doesn't trust them. Okay, so I'm biased, I love both programs, but this is someone who knows how to write secure code.

I think the reason most distros find djb's license so restrictive (not that I necessarily disagree) is his stance on distros not being allowed to shift files around to suit their view of the filesystem hierarchy-- e.g. no binary packages of qmail are allowed unless they put their binaries into /var/qmail/bin without exception. This of course irks most distros who have their own idea of where the mailer binaries go, and means they go towards similarly functional (though less secure) mailers with less restrictive licenses.

I wasn't aware (read: didn't care) that RedHat was involved in any hullabaloo regarding qmail & djbdns. However:

Qmail and djbdns are each distributed under licenses which basically prohibit you from distributing modified binaries. You can redistribute the source, you can write patches for (and redistribute) it, you can distribute binaries. You may not redistribute patched binaries or directly modified source. The full text is here

This makes GPL die-hards pretty upset. If I'm reading this correctly, some folks petitioned RedHat to include both qmail and djbdns in their distribution, and RedHat balked because of license issues. The thing is, they already were distributing Netscape, so the license argument sounded kind of lame.

Both programs were written (started) by D.J. Bernstein. You might also be interested in his djbdns security guarantee. It seems to be good software but it's just not Free.

Both programs were written (started) by D.J. Bernstein. You might also be interested in his djbdns security guarantee. It seems to be good software but it's just not Free.

djbdns and qmail are both under the DJB license, a license of their creator. You arent as free to do what you want with them as GNU applications. As such, RedHat has stated it will never distribute them unless the license changes. However, They distribute Netscape, Which is worse than djbdns/qmail. You can see more on D. J. Bernstein's site

Dan Berstein asks a similar question and finds one or two answers. It seems like the only (readily found) solutions are American Advanced Power and Amsdell.

Dan Berstein asks a similar question and finds one or two answers. It seems like the only (readily found) solutions are American Advanced Power and Amsdell.

The softwarelaw.html page you cited give DJB's take on what your rights are after you have legally received a copy -- you can make backups, modify it, etc. He says nothing about distributing further copies, nor distributing your changes. And he's right. The law he cites allows making of copies for yourself for specific reasons ("(1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or (2) that such new copy or adaptation is for archival purposes only and that all archival copies are destroyed in the event that continued possession of the computer program should cease to be rightful. "), but not the distributions of the copies or "adaptations".

For that, you need the permission of the copyright owner, and DJB won't give it for modified versions (what he says is "If you want to distribute modified versions of qmail (including ports, no matter how minor the changes are) you'll have to get my approval. This does not mean approval of your distribution method, your intentions, your e-mail address, your haircut, or any other irrelevant information. It means a detailed review of the exact package that you want to distribute."

What he says about licenses on the software law page and on the distribution page are not contradictory, but rather deal with different portions of the law. He does not believe in "shrinkwrap" licenses, so he doesn't use one. He demands absolute control over what gets distributed, so he uses a very-tight copyright license.

Please show me the qmail license! Can't? Well, that's because there is none.

Read http://cr.yp.to/softwarelaw.html for DJB's take on licensing and you'll see why there is no license for qmail and determine for yourself what you are able to do with it.

How a license that doesn't exist is bothersome is beyond me.

It bothers me that they spend more time on SMTP. SMTP and FTP combined are probably two of the hardest protocols to implement correctly, as is evinced by the numerous vulnerabilities on almost all servers designed for either protocol.

I wish they'd pay attention to possibly more radical changes to the mail infrastructure. Specifically, it seems that Internet Mail 2000 solves numerous fundamental problems with SMTP and the other mail related protocols, POP* and IMAP. It's disappointing to see more time spent on a protocol with a far better alternative.

Jeremy
--