Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
> So any benefits inherent in the codebase would seem a bit moot, no?
No. The only benefits which would be moot would be those which reside only in qmail-smtpd.
Logic 101, no?
qmail doesn't *need* any patches
Posted Nov 4, 2007 5:30 UTC (Sun) by CyberDog (guest, #29668)
The "benefit" alluded to here was djb's secure codebase. As soon as your arrangement requires
[original codebase] + [random 3rd party codebase(s) tacked on], the security of the final
product becomes only as secure as the weaker of the two (or three or more) codebases. It
could even be argued that a product which incorporates all the required features into a single
codebase, if written by even moderately competent programmers, could be less risky than
merging multiple products into one.
Posted Nov 4, 2007 14:04 UTC (Sun) by alankila (subscriber, #47141)
Interestingly, djb's paper talks about maintaining security expectations even in the face of
having to run untrusted, random codebases as part of secure application.
The basic idea is compartmentalization: for each component (especially those from a third
party) you should clearly define the input, the output, and set up access and resources
restrictions in which the component must operate. Finally, after it does its job, you
shouldn't trust it but do some validation to check the sanity of the result.
For instance, if the purpose of the component were to extract recipient address of the email,
then the component can only read the email, produce one string as response, not access
anything outside that email and have to run in limited time and memory. Once something comes
out, it must look like an email, for instance match the famous rfc822 pattern.
To achieve this, one might have to run untrusted components under a virtual machine and/or use
the operating system's primitives to constraint cpu, memory, available system calls, etc. I'm
not sure how well Linux can do these things, but the basic idea is that it should be possible
to run even completely random code safely provided that these relatively simple constraints
are worked out first.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds