Slashdot Mirror
Debian Project Rejects Sender-ID
NW writes "Following on the heels of Apache Foundation taking a stance against Sender-ID, the Debian Project announced today their rejection of Sender-ID as well."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Perhaps this is where closed source vendors (read: Microsoft) will lead the adoption of Sender-ID.
For your eyes only.
Of course patent-encumbered standards will never take. Why do companies even hope that it will? Do they remember what happened to IBM and MCA?
A NYC lawyer blogs. http://www.chuangblog.com/
nt
We have many major players rejecting this proposal in public. Is it enough for critical mass?
Sendmail has a plugin available which allows for Sender ID compliance. Which other GPL software will be modified by third parties? This is the joy of GPL software, of course, to maintain it separately from the core. This is also the Achilles' Heel. If Microsoft wanted to do so it could produce the necessary changes for all of these dissenting software packages itself -- and distribute them itself -- and achieve dominance through this method.
The official group declaration would mean little if the availability of the encumbered proposal is enormous and well known.
Most importantly, why wasn't this type of public condemnation available for the various W3C proposals that had patents attached? We cannot pick and choose the fights we engage in - our opposition to patents and intellectual property in standards must be uniform and universal. Once a single standard is accepted despite being weighed down by IP concerns the floodgates will open.
My reality check bounced.
As idiotic, trollish and NSFW as that was, I have to admit it was pretty devious.
Karma: Segmentation fault (tried to dereference a null post)
Probably a somewhat stupid question, but doesn't Debian only distribute the software, and therefore doesn't really have anything to do with the Sender-ID and the possible patents it depends on ? Or is Debian plainly boycotting any program from distribution that uses Sender-ID ?
- Leon Mergen
http://www.solatis.com
I'm assuming Microsoft will soon enough have mail servers that support (or worse, require!) sender ID, and will advertize heavily with this as a supposed extra security feature that OS cannot or will not offer. What I'm wondering: is this in any way a threat to OS and the infrastructure of the web?
I've read both statements and, while I agree they can do whatever they want with their software/distributions/etc., I've seen little analysis.
What makes Sender-ID so bad, in comparison to other technologies that both do support (say ASP and SMB). Is it because they reverse-engineered those and MS is trying to release this into the "open"? Are they waiting for a reverse-engineered version?
I know some about coding but little about law. What in particular about this license is causing so much trouble? Could MS change a few lines and it would be accepted?
A list of SPF-enabled registrars and DNS providers is at http://www.spf.idimo.com/
This should be a concern for all, no matter how you feel about MS, or even if this was another company, like IBM, HP, etc. The standards which hold the Internet together cannot "belong" to one company.
Everybody here is no doubt familiar with the "unofficial standard" that is Microsoft Word: meaning, they have been sent Word documents or asked to send documents in Word format as if everybody used Word. Microsoft has ensured that the clueless masses default to Word's format as an Internet standard (or as an example of "best practices" -- to use the latest buzzword).
You can find examples of this in business, education, and government.
It's possible that we're going to see e-mail "evolve" in the same way. Ninety percent of e-mail flying around the Internet will use the new Sender ID standard; those not using it will seem odd and likely be forced to use it more often than not in their various business dealings.
quiquid id est, timeo puellas et oscula dantes.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
http://www.electricstate.com/articles/defuglify-sl ashdot. Drag the link to your Bookmarks toolbar. That's all there is to it.
Karma: Segmentation fault (tried to dereference a null post)
It's sad, but it seems that taking sometimes the most primitive steps to help secure one's mail server is over the heads of mail administrators. Even worse, the amount of resistance to having an MTA have proper reverse is incredible.
A short time ago the company I worked for started refusing inbound connections from MTA's that didn't have proper reverse DNS. By proper reverse dns I mean as per RFC 1912 section 2.1 . While the word must isn't used in the RFC, the word should is used, and the RFC even states "For every IP address, there should be a matching PTR record in the in-addr.arpa domain........Failure to have matching PTR and A records can cause loss of Internet services similar to not being registered in the DNS at all."
Imagine when I had to explain what proper reverse DNS was to an MCI "internet engineer" (That was the title in his e-mail). Imagine my suprise at the number of complaints generated - and even greater suprise that people simply REFUSED to fix their problem. Instead, bowing to our own customer pressure, we stopped enforcing the checks. We again became part of the problem, instead of part of the solution.
We did this because we saw lots of spam that came from MTA's with no reverse. Even more telling we found lots of spam that used "spoofed" reverse dns. I.E. the reverse had a pointer to some host like mx4.hotmail.com, when no forward with that IP existed. This is most common from spammers coming out of eastern Europe, and some out of china. By refusing to accept mail from these we lowered the amount of delivered SPAM.
Supposedly, AOL, Road Runner, and AT&T require reverse dns. In actuality they don't. If the community is truly serious about fighting spam then they would follow their own policies, and they would help. If AOL and hotmail alone required valid everse DNS the rest of the world would follow suit in short order. By not enforceing their own published rules, very large providers are part of the problem, and their laziness continues to perpetuate the problem.
Considering their inability to enforce something as simple and as easy as rdns (RFC 1912 published 1996) I see no hope for caller ID, or SPF records. They all sound like great standards - but we can't even enforce the standards we have had for almost 10 years.
Debian is correct to reject the "caller-id" feature. Not for any copyright reason, but because it won't work in the current environment with so many lazy administrators, and the only adoption being the spammers themselves.
cluge
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
It is very likely that Sun, IBM and RedHat will reject Sender-ID as well. Here is a very interesting read on News Forge
This is my sig. There are thousands more, but this one is mine.
I hope you know you're sending that threat to your ISP by way of their DNS server. Not very wise, IMO.
We are also concerned that no company should be permitted intellectual property rights (IPR) over core Internet infrastructure.
Seems obvious to me. Why isn't it obvious to the IETF?
Debian again: We believe the IETF needs to revamp its IPR policies to ensure that the core Internet infrastructure remain unencumbered.Right on.
A company like Microsoft has no respect for the rights of others, no respect for ethics, no respect for the ideals of the people who built the Internet infrastructure for our benefit. I agree with Debian that no company should be permitted IP rights over core Internet infrastructure. But especially not a predatory company like Microsoft.
Description of the Sender ID Framework from Microsoft.
It would be so much nicer if people writing/editing these stories would link to stuff that isn't blindingly obvious to everyone.
p
In Korea, long hair is for old people!
They were right to reject it. The open source world often stands together in such issues, and the only end result that could happen is a truly free standard that will take on the world. Now that issues have been raised, it means every other distro will analyse it, and probably not include it either but help work on a "free" one, and the internet in reality runs off Unix, so we have a VERY good chance of getting a strongly supported standard out there.. Very few major mail servers run off Windows, hotmail is probably the only one I'd imagine.
Just one question, has there been any work on a open standard yet?
Is there any way one can actualy find out what Sender ID _is_, without increasing one's exposure to patent infringement lawsuits?
Apart from the fact that Microsoft are an incredibly wealthy and successful company, they deserve a moment's silent respect for their utter failure to understand the way the IT market is evolving.
The attempt to inject patents into anti-SPAM tools is well-founded for a company that wants to find new business models, but it's incredibly offensive to the Internet community. Not just "nerds" and "fanatics" exposing some radical political viewpoint, but the hundreds of thousands of hard-working people who actually built the servers that run the web.
Technology gets ever cheaper and this inevitably destroys old markets. For the world's largest software company to _still_ earn the bulk of its money from operating systems and office suites is quite amazing. These are commodity products and only sell through brute-force tactics that are eventually self-defeating.
Microsoft should step back from trying to control essential domains such as email, and focus on what they are really good at: providing the unwashed masses with easy-to-use, pretty front-ends. It's a market with huge potential but its success depends on a reliable and expanding back-end infrastructure, exactly the domain that Microsoft is incapable of delivering.
A message to Microsoft: please understand that open source is the key to your long term survival. Embrace it, or die. Open source is the cornucopia of software technology: it will create a hundred million new software consumers, and most of these will be potential new clients.
Just produce software they actually want, not software they are forced into buying by your devious political games.
When the Internet first became popular, Bill Gates announced that the Microsoft Network would be better. He was wrong, and after a couple of years, forced Microsoft to embrace the net rather than fight it.
The same is true of open source. It's only a conflict because Microsoft is refusing to face the inevitability of the situation.
A moment's pity, therefore. They may be rich. That does not make them either smart, or right.
Sig for sale or rent. One previous user. Inquire within.
The big push here needs to be for Mozilla to refuse to support it.
We heard here yesterday that Mozilla has a far bigger market share than Debian does - and Mozilla actually does read mail and reject spam. So their refusal to participate in a Microsoft takeover of the world wide email system would have some real meaning.
It's good that Apache came out against it...what about 'sendmail'?
There also needs to be some promotion of a good alternative that's not IP-encumbered and which would hopefully have technical merits too...it's easy to refuse to support a proposed standard - but it's better to have a good reason to recommend a solid alternative.
www.sjbaker.org
All "Redundant" mods will be meta-modded "Unfair" until the mods can prove they know what "redundant" means.
:-P
You mean,
All "Redundant" meta-modded "Un" 'til mods prove know what means.
It's still legible, and has less words! Less repetitive redundancy!
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
I was waiting for such a statement from the Debian project (it being my favouritve flavour for many years now and following what's happening) since the Apache statement.
This is the correct way to go (and this is not just the opensource guy in me speaking, but also the IT subconcious).
Go Debian.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Of course, if you have a DNS provider who won't let you make such changes, you probably need a different DNS provider!
That this is against the Debian FreeSoftware Guidelines, And that the core internet technologies should Not be controlled by a comp. Or A comp. can have a patent on them.
I think the current sitution is not good, What I'm afraid of is that it might be wide spreaded all of a sudden, Though I doubt it, As apache is the leade when it comes to webservers. Or am I wrong ?
Even being familiar with DNS, SPF, Spam Filters of all kinds I don't get what's different about Microsoft's plan and the general SPF plan.
Someone want to clear that up?
That article Microsoft has is just SPF with a different name on it as far as I can tell.
(Or did they invent SPF in the first place...)
You can implement handling the setup of the DNS TXT records without touching anything Microsoft claims ownership of. You can implement the checking of the HELO/EHLO and MAIL FROM via SPF with no patent concerns. Will Apache, Debian, et al dismiss this, simply because the most popular implementations of SPF also support checking the header FROM field, which is supposedly Microsoft's idea?
So? Sender-Id was bad but so what? If you reject something you got to come up with an alternative.
I know there is such but unless if Groupwise/Notes and other premium commercial products start supporting the stuff, it doesn't matter.
If you really think that something that Debian project actually does matters, lol.. You are deceiving yourself. It's just one niche project that most of the people never have even heard of.
i know i'd use it. just wish i had the skills (or the time to learn the skills) to write the damn thing myself.
(emphasis added)
The only way that Debian could accept Sender-ID is to reject the GPL. At that point, having denied its own soul, it would cease to be 'Debian' by any meaningful definition - it would be ex-Debian.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
This just goes to prove that all those stories about terrorists posting encrypted messages on websites aren't all bunk...
I fed this message into the Bat-Super-Computer in my top-secret underground lair, and I now present the unencrypted version:
"Truth is, I'd kill for a mall like this!"
It appears that the message is from Osama Bin Laden himself, though it is unclear which mall he was talking about. We are recommending that people set their homeland security wall chart to off-mauve (or "Moderate") risk of terrorist attack, and shop at the downmarket mall on the other side of town where all the gangsters hang out, until further notice.
This message brought to you by the Dept. of Homeland Hysteria, and the letters G, W, and B.
Trying to sneak a pantented standard in, then later charging for it after wide-spread adoption seems more likely, if you do remember that quote.
First, I browsed the ietf-list discussion initated by Richard Stallmans post. One states that the group has made Microsoft aware that the licence is not acceptable, and Microsoft must resolve these issues.
AFAIK the licence terms presented are not final, and I assume that Apache and Debian rejects the Sender-ID licence in its current form.
Secondly, Sendmail is working to support it. Will this mean that Sendmail will no longer be Open Source?
Lastly, I recall some recent post stating that many spam mails now produce valid sender ID. If spammers include valid sender ID's there is really not much use of this technology in the first place, why bother to addopt it?
I agree. Microsoft will almost certainly succeed to push Sender ID into the collective consciousness of users. They will demand it be used. And what's worse, Sendmail is in on it.
Sendmail Inc is fully behind SenderID. Check the MARID archive. On the very same day MS announced their terms, Sendmail announced support.
Anyway, as
another thread on slashdot points it, spammers may be the first to adopt it.
Is there any way one can actualy find out what Sender ID _is_, without increasing one's exposure to patent infringement lawsuits?
No, it would expose you to triple damages.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Don't beleive me? Read Micrsoft's own FAQ, [microsoft.com] question 15.
Many mail servers are under the GPL licence or similar licences. Those mail servers would be prohibited from adopting the standard. Any mail server which could and did adopt the standard (and thus Microsoft's poison pill) would then begin rejecting any mail from GPL (or similar) mail servers. The excluded mail servers, being unable to serve mail, would be exterminated.
You're clearly unable to comprehend the document that you've linked to, because the answer to Q15 says no such thing. In fact, it points to Q7 which says Microsoft believes it is possible for GPLed MTAs to support Sender-ID. Thanks for the link - I'm now completely reassured that the sky is not falling.
Debian has done the right thing and more power to them in that regard.
Perhaps I am not seeing all the possible pitfalls (in which case would you point them out), but wouldn't a response challenge type of system help much better with spam?
This would enable users be much more protective (and involved) about their mailboxes and what's allowed in there.
Would this silver bullet the spam problem? Most likely not at first, and definately not completely just because there are people who actually like to receive spam (believe it or not). But this at least will put users in charge of the mailbox who want to be in charge. And that's what i think is important anyways.
In the long run there is no way to get rid of spam because sending spam is almost free. Even 14-year old can do it, and as long as it is that easy it will be a problem and i don't believe a different or better protocol would make the problem dissapear.
But on the brighter note UK is sueing the websites who are responsible for spam and that's what i think initally needs to happen in US also, but watch, it will not (happen) because 'we can't hurt the business'.
I play Iclod.
Yep, MS is the equivalent of a terrorist organization. Anyone who uses their Sender ID will have to cut off mail from GPL mail-server software. They want to kill all GPL software. I hope Sender ID not only dies on the vine but that MS can be humiliated in the process.
If Microsoft hadn't done this, the broken, inflexible, and easily-exploited SPF would have spread around the world. (Well, it still technically could do so, but SPF tied itself to Microsoft, so folks would have to first extricate the SPF people from Microsoft.)
Yahoo's DomainKeys is only a marginally better solution.
A GPG-based system -- now *there's* the way to go.
May we never see th
SPF is well-defined, widely-deployed, and works great. Well, not against spam - most spammers use stolen zombie machines and don't bother forging the sender address. SPF does work quite well against worms & viruses. It has helped me cut down on my inbound malware bandwidth use tremendously.
I don't think it would be very hard to adapt SPF implementations so they also check the body From: header, as well as the envelope MAIL FROM sender. Maybe just check that the two match, and if they don't then add some sort of "may be forged" header. Not a very big deal. Let's ignore Microsoft and just do it.
Debian matters nothing. Let the zealots run old code and live happily. I cannot believe this is posted on the front page. I can see it now. Debian rejects breathing as not free. F**K Debian.
>A moment's pity, therefore. They may be rich. That does not make them either smart, or right.
I can't help but to laugh at this example of uninformed zealotry. Even if I weren't dubious about MS meriting any pity, this is rather like a 8 year old child patting itself on the back for outrunning a geriatric in a wheelchair.
OSS fits somewhere into MS's problems, but is hardly the dominant factor. Aside from OSS, their primary problems right now stem from the the worldwide wave of anti-monopoly lawsuits, being crushed between the need to maintain compatibility with their insecure legacy interfaces and the need to leave them behind to catch up on security, their poor public image caused by bugs on one front and the failed Sofware Assurance licensing program on the other, and last but hardly least, lack of new markets/product offering categories to expand into.
Come back and proclaim victory when MS is bankrupt and combined revenues for Linux and OSS support/products (i.e. IBM's non-Linux/OSS divisions don't count) approach that of the proprietary software world. The former may be inevitable, but, unless the OSS world changes radically, I'd give long odds against the latter occurring anytime soon.
Rejecting SenderID is a wise move on the part of Debian and Apache. Just because Microsoft has a warm and fuzzy document that says you can use SenderID for free doesn't mean it will stay that way forever, and doesn't detract from the fact that it's PATENTED TECHNOLOGY. I feel that Microsoft would have no qualms about using this Trojan horse to rain down hate on any OSS project it perceived as a competitor to one of their technologies by leveraging their adaptation of SenderID.
All it would take is for Microsoft to have an insane SCO moment. All they'd have to do is say the magic words - "You are using our PATENTED INTELLECTUAL PROPERTY. As such, you will agree with these new terms or we will erase you out of existance." Of course, in that event the said OSS project could simply remove the technology, but then the question begs to be asked, "Then why put it in to begin with?" I'm sure this is the very question Debian and Apache asked themselves.
-R
What version of firefox to you need for this? It doesn't work at all in 0.9.3.
Doh I feel like an idiot... of course it's just a joke (of course it doesn't work because you've just gone to another page! Doh!).
Fell for that one completely.
Now for the real question - is it possible to write something like this? Perhaps as a squid extension?
It works fine for me on 0.9.1, but it shouldn't be version-dependent as it's pure Javascript.
And no, it's not a joke. What's the exact problem you're having?
Karma: Segmentation fault (tried to dereference a null post)
I don't think the parent posted said OSS was a "problem" for Microsoft. Read the post again and try to avoid words like "zealot" because they make you look stupid.
There have been a lot of complaints (lately, not so lately) about comapnies like MS taking over the computer world with patents. So, here is an idea: Why don't we fight patents with patents? We (the OSS community) should go patent every fscking thing we can think of and release the patents into the public domain. Even stupid things like "organizing photos based on time". Nothing is too small to be free.
This may get modded down, but I am slightly serious.
You and your silly schemes