Re: negative vote for maintainer Michael Gilbert
2012/1/6 Russ Allbery <rra@debian.org>:
> djbdns isn't unmaintained. There's a disagreement between the package
> maintainer and the security team over whether it should be in a Debian
> release, since the package has a security weakness (which is inherently
> unfixable in all implementations of the DNS protocol, but which can be
> hardened against slightly in a way that the upstream for djbdns is not
> interested in doing).
Some security experts claim it cannot be hardened without:
a) major efficiency penalty (which is essential for my purposes) [0]
c) creating more security problems [1][2]
As dnscache in Debian package is not configured to be run out
of the box, security team effectively prohibits the community
from using absolutely free, safe and efficient software, as
there is no exploits available when you configure it on the
loopback interface or for hosts you trust, e.g. for your
cloud of services.
S.
[0] http://marc.info/?l=djbdns&m=124047690620137&w=1 and next messages
in that thread
[1] http://www.ntia.doc.gov/dns/comments/comment027.pdf
[2] http://cr.yp.to/djbdns/forgery.html
Reply to: