[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tmda: Challenge-response is fundamentally broken

[ Please do not send me CC's, as I have not explicitly asked for them. ]

* Stephen Stafford

 > Sorry, but I do NOT see how this is a grave bug.  It's wishlist (at best).
 >
 > YOU might not agree that C-R systems are good (personally I detest them),
 > but that does NOT mean that we shouldn't release one.  If the package is in
 > good shape and functions as advertised, then it IS fit for release.  

  I do not have anything against C-R systems per se, and I do not care if
 others use them, or if we distribute them.  What I -do- have a problem
 with is that the C-R system in question ignores the fact that SMTP
 headers are trivially (and regulary) forged.  I believe this is deliberate,
 and that TMDA does not attempt to verify that the recipient of the
 challenge truly was the sender of the original e-mail.  (If it did, I
 would have no problem with it at all.)

  Therefore third-party users, who had nothing to do with the original
 sending of the mail, will receive unsolicited e-mail, and that even
 from a program which is designed to stop such junk.

 > Hey, how about if I decide that emacs is a huge bloaded piece of shit?
 > Does that mean we shouldn't release it?
 >
 > Or if I decide that CUPS is rubbish and lprng is the One True Printer
 > Daemon?
 >
 > Or that Gnome is a steaming pimple on the arse of desktop managers?

  None of these are comparable - that one user installs Gnome on his
 system does not hurt you in any way.  You can simply ignore it and
 go on with your life.  You do not even have to know -- Gnome will not
 send you unsolicited junk mail, regardless of it being a 'steaming
 pimple' or no.

-- 
Tore Anderson
Reply to: