So what, people going to start forcibly inserting Win98Lite CD's into my shopping bags? Installing linux on my computer when i step away?
Oh, man. You have no idea how many times If dreamed of doing the latter. Users would suddenly have had a system that actually worked. If we could nuke the MPAA head offices then we'd.....
Uh yeah. I guess that that's the kind of vigilante action you're talking about, isn't it.. --
This can definitely be called monopolist tieing if they are using their market force to pressure OEMs into 'buying' the free year of MSN with every machine. This is much like the Microsoft situation:
You buy the machine, you get the service for free AND it is conspicuous on the desktop. If y ou want anything else, you don't just have to pay for it -- you have to hunt it down, and install it.
If you use their service for a year, by the time you have to renew, you have a choice of learning new software (and possibly loosing easy access to your old email and email addresses, etc.) or just paying the piper and getting on with life.
Most newbies are just going to stay with Microsoft.
And if you do something silly like installing Linux on your box, they'll have to get a new email address to use under linux (another tie-down to Linux). --
They said the same thing about Hitler -- Chamberlin's "We shall have peace in our time! et. al. Granted, Microsoft isn't planning to gas whole sections of society (we hope), but they are starting from a position of (monopolistic) strength and attempting to (in some cases) beligerantly claim new territory as their own. Sometimes they did it on the pretense that it was always theirs by right -- they just hadn't bothered to do much about it previously.
Sometimes they are acknowledging that other people own the territory now. You can try and stop us, if you want, they may imply, but you'll loose the war.
--
And what admin in the middle of a huge crash cares about the pretty path the packets take? They want to know which router is down, but they don't care about its ICBM address (unless the problem is really bad.)
If an ICBM is about to crash on you, the problem is pretty bad. --
> > DEC was renowned for nothing so much as their inability to market good products.
>
Uh, I thought that company was IBM?;-)
Actually IBM used to be able to market even bad products. Like Microsoft, they relied on their market dominance. Unfortunately for them, their dominance is only in the mainframe world. That's also the reason why the IBM PC became all the rage, as one friend of mine said at the time:
IT's got 3 things going for it... 'I', 'B' and 'M'.
In truth, the IBM PC had little to go for it other than IBM's marketing muscle in the computer world. the 8086/8088 was essentially a 8085/Z80 with extra registers and hardware bank-switching. It was chosen (I think) because the architecture was so crippled that it was unlikely to become a threat to IBM's System/370 line of Mainframe boxes.
Yet it managed to become 'the industry standard'. Such is life. --
Maybe this would be a good way to power emergency-use-only cell phones? Crank it up to dial 911
In the very early days of the phone, people had to crank their phones up to get hold of the operater (similar idea, but lower tech, generator technology).
Looks like we're within spitting distance of going full circle on this.... --
The minimum terms of such license shall grant the University the right to use the original work in its internally
administered programs of teaching, research, and public service on a perpetual, royalty-free, non-exclusive basis.
The GPL allows the University to use the original code as stated... I don't see where the terms of the GPL are in contrast to this requirement. The fact that the GPL goes beyond what the university wants isn't a problem. Even if it was the GPL (as many other people have noted) does NOT restrict the original copyright holder from releasing the code under another license.... and the University lvcense is NOT exclusive, so it should not restrict the student from releasing the code to other people under the GPL (or any other license that (s)he chooses). --
GPL rules generally require that you acknowledge the origninal copyright holder. It is NOT public domain. If you don't submit your assignment with an acknowledgment of the original copyright, you are in VIOLATION of the GPL.
If your instructor reads the copyright and doesn't mind that the original was written by someone else, it's not plagarism -- It's research.
--
Whomever marked this a troll didn't pay attention in English class. Shakespeare is reasonably well known to have lifted his plots from other stories -- be it Hamlet or Romeo or Juliette.
I'm sure that someone who knows more of English history can give you a list of which Shakespeare story came from which source. (English was never my strong point). In any case, He was right on the point about this, and I would have made a similar comment if he hadn't first. --
For people doing proprietary work, there is nothing wrong with proprietary licenses -- as long as you don't expect to make use of GPLed code in your proprietary application.
Similarly: If you're working on a GPL project, incorporating non-gpl code (and especially proprietary code) can be very problematic.
For people who like GPLed code, the comming over of a piece of software to the GPL side of the force can be something to celebrate. It means that they have one more tool that they can work freely with.
Where GPL people are likely to get flame-festy is where people are doing proprietary work, and complaining about how GPLed resources want to 'steal their code'. What's actually happening is that the propreitary user want's to "steal" the GPL'ed code -- which is to say that (s)he is not willing to pay the price of the GPL: freedom for the resulting code.
--
I think that their point is that the bogus reports contributed to horrible service. When employees are responding to bogus errors they are not available to support customers with 'real' problems, or to do installs shich they might otherwise be doing. Over time, a constant stream of bogus reports can make the difference between a slow time and an outrageously long response time.
The nasty thing is that, because the Covad managed to get regulatory relief against Verizon because of the complaints, Verizon couldn't afford to just blow off the multiple bogus complaints from Covad. They had to allocate resources to Covad that wold otherwise go to legitimate customer complaints.
This could also affect the kind of response that non-Covad customers got from Verizon. If Verizon employees got used to the fact that 2/3 of the complaints that they had to handle weren't legitimate complaints, then ALL customers could start getting a "Oh yea, you think it's broken, do you? Just what did you do to it this time?" response from Verizon support techies. --
Just because the domain is controlled by people who work at VA-Linux doesn't mean that the company itself is doing the things you feel are so nasty.
I have domain names of my own, and I've registered a domain for my boss -- Even though I did it through a work machine they were our Private domains, paid for with our money. If somebody tried to confuse my personal domain and the stuff I did with it and the work of my company, I would have told them to go get a brain.
Now, I'm not saying that VA does NOT control system12. I'm just saying that the guilt by association thing doesn't quite cut it as proof for me.
--
Unclassified doesn't mean unimportant. Your computer is unclassified, but I'm sure that I could get a whole lot of 'interesting' data about you, and your job, by looking at the data on your hard drive.
Remember that these are 'unclassified' machines and they feel that the risk of 'only' overwriting them is fine. They're still destroying drives from classified machines. --
Back in the early '80s was someone posted a note explaining that when the NSA/CIA tested disk drives, they had a prescribed method for the vendor to overwrite the drive before it could be passed on for other uses.
Most vendors found it easier to just melt down the drives.
Remember that these were mainfraime hard drives, in the early '80s, that probably cost in the range of thousands of dollars each (retail).
--
Well if it's so cheap, the school should be happy to pay $20-$50 for a used drive to make a free computer usable. It's a far more justifiable expense for the school recieving the drive than it is for a government department that is going to be giving (thousands of) machines away as a (free) goodwill gesture. --
The intent of destroying the hard drives was to prevent sensitive (though technically unclassified) information ending up in the hands of someone who might have some fun with it (including an inquisitive High School student who finds data and decides to sell it to his druggie friends who.....).
Please consider, as well, that calling it a 'preventive measure' is probably a euphimism for somebody found some useful information on a hard drive we gave away and three informants died as a result -- but we're not going to acknowledge that that's the real problem because it might end up in the whole program being trashed..
You have to look at this from the (probably non-technical) Bureaucrat's point of view. Once the drive is destroyed, the problem is solved. Paying good money to buy hundreds (thousands?) of brand new hard disks that you're going to give away is a waste of funds that you can always find someone in your organization clambering for to help hunt down the latest killer. (remember that this initiative probably made it past on the bigwigs based on the promise that it would cost the department next to nothing, while providing good PR). Providing new drives with every outgoing machine would probably increase the up-front cost of the program by an order of magnitude.
(the scarey thing is that the 'destruction' probably consisted of tossing the drive in the garbage where any spook would be happy to dumpster dive and retrieve all of this data from one place. --
We're talking cheap and fast. That $40cdn gets me 1.5megabit down and.5 megabit up -- and I have almost NO bandwidth limitaton at the Canadian end.. If the sit i'm puling from isn't heavily loaded, I can almost always get full bandwidth on downloads.
For $160CDN/month ($110 US) I'd get 5 static IPs, and 4meg/1.5meg. Given that it's well provisioned bandwidth, it's almost as good as a colocate. I have a friend who ran a decent sized commercial web site out of his home on the $160 plan -- He needed the static IPs for SSL. Unless you're running a porn server, or a redhat mirror 1.5megabit is good for most small sites.
--
My guess is that Mosaic was done as a graduate project of some sort. If so, they would not have lost the rights to use their code. Even if it wasn't there are various conditions under which they would have retained legal (if not moral) right to use the code that they wrote. --
"The only thing we have a problem with is when the government funds GPL'd work. Government
funding should be for work that is available to everybody."
If the intent is to have all government funded work be available to anybody, then I could accept the premise -- This would, of course mean that the government should NOT fund any closed source either. If this means that they should be dumping all of their MS-Windows software out the, uhhm, window. and go to BSD, then don't wait for me to cry.
The GPL is designed to ensure that future versions of a piece of software are available to the public, not just current versions. The L-GPL does this as well, while being somewhat less viral. The BSD and some other 'open source' licenses do not.
Microsoft's real meaning of 'available to the public', really means 'able to be absconded and made unavailable to the public. Microsoft's approach it this is actually brings into the open what has been whispered about them many times in the past -- Microsoft's most common method of 'innovation' is to appropriate somebody else's code, call it their own, and work from that base. GPL code is available to Microsoft. It's just not available for Microsoft to steal.
---
For me, the idea of paying taxes for government-funded work that I end up being forced to pay to just use is far more galling than paying taxes for government-funded work that I'm not allowed to appropriate because it's got a GPL protecting it's public nature. --
Microsoft likes to appropriate other peoples' code, use it as their own and call this "innovation". Often, the way that they will do this is go to a company, and offer them a 'deal with the devil' that seems almost impossible to pass up, but then turns out to be a pig in a poke with some wierd escape clause that Microsoft had always intended to exploit. This was the case for MS-Dos 1.0 and (according to other postings) is similar to what they did with MSIE/Mosaic (offer a % of sales (it's gonna be massive!), and then give it away for free -- as a loss leader).
The GPL doesn't allow this. The price is simple -- derivitavve software remains open. Companies that aren't willing to pay the price are free to (attempt to) negotiate a different price. They can also attempt to void the GPL, but that would require a PR war first.
Hmm....
Now I'm not saying that Microsoft is necessarily out to have the GPL voided (but I wouldn't be the only one to make the suggestion). I'm saying that it's worthwhile for us to be aware of the possibility. Among other things, we should make it very clear that stealing somebody else's code is not innovation. --
A number of years ago, a friend of mine (Curt) got his own (personal) routable C class subnet assigned to him (it was something of an 'oh hell, why not' kind of thing. Nowadays, for a company to get a class C range takes a good bit of work. As was said -- now it's usually borrowed from their ISP.
Just this weekend a friend of mine (John) mentioned that his Co-Location provider was charging $4/year per IP address. Not much, on the surface, but this means that the class C that Curt got permanently assigned for free a decade ago is would cost John $1K/year now.
In 1992, the University of British Columbia department of Computer Science got it's own Class "B" range assigned (the UBC, generally, already had at least one "B" range assigned to it). This was for a network of, maybe, 400 machines. I challenge you to find me someone who's been assigned a class B in the last few years for as few as 1000 machines. In some cases, a 1000 machine network might only get one or two class 'b' blocks and be expected to NAT most of their machines through a firewall. "I mean, you don't really need all of those addresses, do you?"
So, yeah, I do think that IP addresses are getting scarcer these days. --
You'd be surprised at the difference that 'intelligence' can make in some shoot-em-up games. I can turn the tide of a 'tribes' session by laying a network of pulse sensors. A couple of well-placed cameras can do a lot of good too.
Most players don't understand that, but some actually know enough to repair destroyed pulse sensors and destroy enemy units.
Sometimes, I'll do a suicide run into an enemy-controlled zone just to figure out how their defences are set up -- then attack appropriately on respawn (one of the values of infinite lives).
Team Fortress has a spy character that can be used for intelligence gathering.Some people just use it to backstab. Others use it to full potential. Some Tribes mods (Renegades comes to mine) also have spy characters. Just because you don't use a capability doesn't mean it doesn't exist.
It's far easier to stop an enemy if you know where they are/what they're doing. Ignore that point at your own peril. --
I think we need to differentiate here. Qmail does not have any known security holes (at least -- none that can't be pawned off on the OS). This is different than saying that it doesn't have bugs.
The most obvious bug of qmail is that it's dependant on running as a specific UID. (and that UID is based on various user NAMES when you compiled the binary). If you get a version that works and ship off a copy of the binary to a friend, it's going to BREAK unless the qmail users have the same UIDs as they did on my machine.
Can you understand how that is going to get in the way of RedHat distributing a binary Qmail RPM? If my system has users who's UIDs conflict with qmail, I'd have 3 choices (I can't count).
Install qmail with the same UID as the 'live' users and hope that those users can be trusted to not fvck with qmail
change the UIDs of any user conflicting with qmail uids, and deal with the bitching that That causes -- especially if we have a heavily networked filesystem.
Install the C compiler and compile a "fixed" qmail .
I'd love to see someone develop a truely open-source replacement to Qmail. It would make life soo much easier. One nice thing about Qmail is that it is built modularly, so it would be possible to replace it bit by bit. No need for monolithic replacement like for Sendmail.
Great -- qmail has no holes. Unfortunately, it is A PIG to setup , install, test etc. It may not have security holes, but it does have it's strangnesses. If you fix that strangeness, you cannot distribute the fixed binaries. You have to distribute the broken binaries, or you distribute the sources and the patches to the sources (separately) and pretty much force people to build the fixed version themselves.
That's what the Redhat RPM of Qmail does... (it has to... The UID of the qmail user is compiled into the binary.... That's one of the things that's wrong with Qmail -- but it's not a security hole, so he doesn't have to fix it, or pay out his bounty for it.)
OH, you don't have a compiler? Too bad. You can always use the broken version, just reseve UID's 404 ~410 for qmail. OH. You already have users at those UIDs? Just move them.
A bison Armoured Personel Carrier doesn't have any holes either (well, OK, one -- but it's not easy to exploit) but you don't see many people driving them around. The truth is that some people care about more than just security.
That having been said, I believe the the concept behind the basic design of Qmail is wonderful -- and much more in keeping with the phylosophy behind Unix than the monolithic Sendmail. Write small programs that connect to each other in a modular way and don't necessarily trust each other... If you want different functionality, you simply replace one of the modules (or add an option). Qmail does this. It does it nicely. That has probably done more to keep it alive than it's security.
I'm just finishing an install of Qmail on a machine. My biggest complaint is that building it is like putting together a jigsaw puzzle. You get the DJB original sources. You merge in the 'standard' patches (which he will never merge into his sources [or hasn't in the last 3 years]). Then you add in the other pieces that you want and pray that they work together the way that they have for other people.
It's a nasty nit-picking job. It's a good bit easier if you can get away with the virgin DJB sources, but the truth is that many people can't. Unfortunately, nobody has the right to distribute an improved version other than DJB himself and he's simply not willing.
For me, it feels like having an MS binary with the source code encased in a plexiglass case. The most you can really use the source code for is to prod it to figure out why the binaries aren't working the way you want them to (then figure out a workaround that doesn't involve changing the source code).
--
Slashdot Mirror
Oh, man. You have no idea how many times If dreamed of doing the latter. Users would suddenly have had a system that actually worked. If we could nuke the MPAA head offices then we'd.....
Uh yeah. I guess that that's the kind of vigilante action you're talking about, isn't it..
--
You buy the machine, you get the service for free AND it is conspicuous on the desktop. If y ou want anything else, you don't just have to pay for it -- you have to hunt it down, and install it.
If you use their service for a year, by the time you have to renew, you have a choice of learning new software (and possibly loosing easy access to your old email and email addresses, etc.) or just paying the piper and getting on with life.
Most newbies are just going to stay with Microsoft.
And if you do something silly like installing Linux on your box, they'll have to get a new email address to use under linux (another tie-down to Linux).
--
Sometimes they are acknowledging that other people own the territory now. You can try and stop us, if you want, they may imply, but you'll loose the war.
--
--
> Uh, I thought that company was IBM?
Actually IBM used to be able to market even bad products. Like Microsoft, they relied on their market dominance. Unfortunately for them, their dominance is only in the mainframe world. That's also the reason why the IBM PC became all the rage, as one friend of mine said at the time:
IT's got 3 things going for it ... 'I', 'B' and 'M'.
In truth, the IBM PC had little to go for it other than IBM's marketing muscle in the computer world. the 8086/8088 was essentially a 8085/Z80 with extra registers and hardware bank-switching. It was chosen (I think) because the architecture was so crippled that it was unlikely to become a threat to IBM's System/370 line of Mainframe boxes.
Yet it managed to become 'the industry standard'. Such is life.
--
Looks like we're within spitting distance of going full circle on this....
--
The GPL allows the University to use the original code as stated... I don't see where the terms of the GPL are in contrast to this requirement. The fact that the GPL goes beyond what the university wants isn't a problem. Even if it was the GPL (as many other people have noted) does NOT restrict the original copyright holder from releasing the code under another license.... and the University lvcense is NOT exclusive, so it should not restrict the student from releasing the code to other people under the GPL (or any other license that (s)he chooses).
--
If your instructor reads the copyright and doesn't mind that the original was written by someone else, it's not plagarism -- It's research.
--
I'm sure that someone who knows more of English history can give you a list of which Shakespeare story came from which source. (English was never my strong point). In any case, He was right on the point about this, and I would have made a similar comment if he hadn't first.
--
Similarly: If you're working on a GPL project, incorporating non-gpl code (and especially proprietary code) can be very problematic. For people who like GPLed code, the comming over of a piece of software to the GPL side of the force can be something to celebrate. It means that they have one more tool that they can work freely with.
Where GPL people are likely to get flame-festy is where people are doing proprietary work, and complaining about how GPLed resources want to 'steal their code'. What's actually happening is that the propreitary user want's to "steal" the GPL'ed code -- which is to say that (s)he is not willing to pay the price of the GPL: freedom for the resulting code.
--
The nasty thing is that, because the Covad managed to get regulatory relief against Verizon because of the complaints, Verizon couldn't afford to just blow off the multiple bogus complaints from Covad. They had to allocate resources to Covad that wold otherwise go to legitimate customer complaints.
This could also affect the kind of response that non-Covad customers got from Verizon. If Verizon employees got used to the fact that 2/3 of the complaints that they had to handle weren't legitimate complaints, then ALL customers could start getting a "Oh yea, you think it's broken, do you? Just what did you do to it this time?" response from Verizon support techies.
--
I have domain names of my own, and I've registered a domain for my boss -- Even though I did it through a work machine they were our Private domains, paid for with our money. If somebody tried to confuse my personal domain and the stuff I did with it and the work of my company, I would have told them to go get a brain.
Now, I'm not saying that VA does NOT control system12. I'm just saying that the guilt by association thing doesn't quite cut it as proof for me.
--
Remember that these are 'unclassified' machines and they feel that the risk of 'only' overwriting them is fine. They're still destroying drives from classified machines.
--
Most vendors found it easier to just melt down the drives.
Remember that these were mainfraime hard drives, in the early '80s, that probably cost in the range of thousands of dollars each (retail).
--
Well if it's so cheap, the school should be happy to pay $20-$50 for a used drive to make a free computer usable. It's a far more justifiable expense for the school recieving the drive than it is for a government department that is going to be giving (thousands of) machines away as a (free) goodwill gesture.
--
Please consider, as well, that calling it a 'preventive measure' is probably a euphimism for somebody found some useful information on a hard drive we gave away and three informants died as a result -- but we're not going to acknowledge that that's the real problem because it might end up in the whole program being trashed..
You have to look at this from the (probably non-technical) Bureaucrat's point of view. Once the drive is destroyed, the problem is solved. Paying good money to buy hundreds (thousands?) of brand new hard disks that you're going to give away is a waste of funds that you can always find someone in your organization clambering for to help hunt down the latest killer. (remember that this initiative probably made it past on the bigwigs based on the promise that it would cost the department next to nothing, while providing good PR). Providing new drives with every outgoing machine would probably increase the up-front cost of the program by an order of magnitude.
(the scarey thing is that the 'destruction' probably consisted of tossing the drive in the garbage where any spook would be happy to dumpster dive and retrieve all of this data from one place.
--
Note, however, that he didn't bother to raise his wisdom score....
--
For $160CDN/month ($110 US) I'd get 5 static IPs, and 4meg/1.5meg. Given that it's well provisioned bandwidth, it's almost as good as a colocate. I have a friend who ran a decent sized commercial web site out of his home on the $160 plan -- He needed the static IPs for SSL. Unless you're running a porn server, or a redhat mirror 1.5megabit is good for most small sites.
--
My guess is that Mosaic was done as a graduate project of some sort. If so, they would not have lost the rights to use their code. Even if it wasn't there are various conditions under which they would have retained legal (if not moral) right to use the code that they wrote.
--
If the intent is to have all government funded work be available to anybody, then I could accept the premise -- This would, of course mean that the government should NOT fund any closed source either. If this means that they should be dumping all of their MS-Windows software out the, uhhm, window. and go to BSD, then don't wait for me to cry.
The GPL is designed to ensure that future versions of a piece of software are available to the public, not just current versions. The L-GPL does this as well, while being somewhat less viral. The BSD and some other 'open source' licenses do not.
Microsoft's real meaning of 'available to the public', really means 'able to be absconded and made unavailable to the public. Microsoft's approach it this is actually brings into the open what has been whispered about them many times in the past -- Microsoft's most common method of 'innovation' is to appropriate somebody else's code, call it their own, and work from that base. GPL code is available to Microsoft. It's just not available for Microsoft to steal.
---
For me, the idea of paying taxes for government-funded work that I end up being forced to pay to just use is far more galling than paying taxes for government-funded work that I'm not allowed to appropriate because it's got a GPL protecting it's public nature.
--
The GPL doesn't allow this. The price is simple -- derivitavve software remains open. Companies that aren't willing to pay the price are free to (attempt to) negotiate a different price. They can also attempt to void the GPL, but that would require a PR war first.
Hmm....
Now I'm not saying that Microsoft is necessarily out to have the GPL voided (but I wouldn't be the only one to make the suggestion). I'm saying that it's worthwhile for us to be aware of the possibility. Among other things, we should make it very clear that stealing somebody else's code is not innovation.
--
Just this weekend a friend of mine (John) mentioned that his Co-Location provider was charging $4/year per IP address. Not much, on the surface, but this means that the class C that Curt got permanently assigned for free a decade ago is would cost John $1K/year now.
In 1992, the University of British Columbia department of Computer Science got it's own Class "B" range assigned (the UBC, generally, already had at least one "B" range assigned to it). This was for a network of, maybe, 400 machines. I challenge you to find me someone who's been assigned a class B in the last few years for as few as 1000 machines. In some cases, a 1000 machine network might only get one or two class 'b' blocks and be expected to NAT most of their machines through a firewall. "I mean, you don't really need all of those addresses, do you?"
So, yeah, I do think that IP addresses are getting scarcer these days.
--
Most players don't understand that, but some actually know enough to repair destroyed pulse sensors and destroy enemy units.
Sometimes, I'll do a suicide run into an enemy-controlled zone just to figure out how their defences are set up -- then attack appropriately on respawn (one of the values of infinite lives).
Team Fortress has a spy character that can be used for intelligence gathering.Some people just use it to backstab. Others use it to full potential. Some Tribes mods (Renegades comes to mine) also have spy characters. Just because you don't use a capability doesn't mean it doesn't exist.
It's far easier to stop an enemy if you know where they are/what they're doing. Ignore that point at your own peril.
--
The most obvious bug of qmail is that it's dependant on running as a specific UID. (and that UID is based on various user NAMES when you compiled the binary). If you get a version that works and ship off a copy of the binary to a friend, it's going to BREAK unless the qmail users have the same UIDs as they did on my machine.
Can you understand how that is going to get in the way of RedHat distributing a binary Qmail RPM? If my system has users who's UIDs conflict with qmail, I'd have 3 choices (I can't count).
-
Install qmail with the same UID as the 'live' users and hope that those users can be trusted to not fvck with qmail
- change the UIDs of any user conflicting with qmail uids, and deal with the bitching that That causes -- especially if we have a heavily networked filesystem.
- Install the C compiler and compile a "fixed" qmail .
- Use Sendmail (or exim or
.... )
Redhat chose #4.--
Great -- qmail has no holes. Unfortunately, it is A PIG to setup , install, test etc. It may not have security holes, but it does have it's strangnesses. If you fix that strangeness, you cannot distribute the fixed binaries. You have to distribute the broken binaries, or you distribute the sources and the patches to the sources (separately) and pretty much force people to build the fixed version themselves.
That's what the Redhat RPM of Qmail does... (it has to... The UID of the qmail user is compiled into the binary.... That's one of the things that's wrong with Qmail -- but it's not a security hole, so he doesn't have to fix it, or pay out his bounty for it.)
OH, you don't have a compiler? Too bad. You can always use the broken version, just reseve UID's 404 ~410 for qmail. OH. You already have users at those UIDs? Just move them.
A bison Armoured Personel Carrier doesn't have any holes either (well, OK, one -- but it's not easy to exploit) but you don't see many people driving them around. The truth is that some people care about more than just security.
That having been said, I believe the the concept behind the basic design of Qmail is wonderful -- and much more in keeping with the phylosophy behind Unix than the monolithic Sendmail. Write small programs that connect to each other in a modular way and don't necessarily trust each other... If you want different functionality, you simply replace one of the modules (or add an option). Qmail does this. It does it nicely. That has probably done more to keep it alive than it's security.
I'm just finishing an install of Qmail on a machine. My biggest complaint is that building it is like putting together a jigsaw puzzle. You get the DJB original sources. You merge in the 'standard' patches (which he will never merge into his sources [or hasn't in the last 3 years]). Then you add in the other pieces that you want and pray that they work together the way that they have for other people.
It's a nasty nit-picking job. It's a good bit easier if you can get away with the virgin DJB sources, but the truth is that many people can't. Unfortunately, nobody has the right to distribute an improved version other than DJB himself and he's simply not willing.
For me, it feels like having an MS binary with the source code encased in a plexiglass case. The most you can really use the source code for is to prod it to figure out why the binaries aren't working the way you want them to (then figure out a workaround that doesn't involve changing the source code).
--