|
|
Log in / Subscribe / Register

Daniel Bernstein: ten years of qmail security

Daniel Bernstein: ten years of qmail security

Posted Nov 4, 2007 23:16 UTC (Sun) by job (guest, #670)
Parent article: Daniel Bernstein: ten years of qmail security

If you look at the slides for the talk there are two interesting bits of information there.

  1. Bernstein raised the security bounty to $1000.
  2. qmail is now released to the public domain.

That last bit is extra interesting to all of us running his software as the license is what leads to the strange build process and patch collecting so closely associated with administrating qmail.

There is nothing official on the qmail page yet, but perhaps we might see it soon?

to post comments

"public domain" software

Posted Nov 5, 2007 3:42 UTC (Mon) by dmarti (subscriber, #11625) [Link] (3 responses)

Details on "public domain" as a software license: Why the Public Domain Isn’t a License (PDF) by Lawrence Rosen.

"public domain" software

Posted Nov 5, 2007 12:24 UTC (Mon) by epa (subscriber, #39769) [Link] (1 responses) 

Lawrence Rosen first says that you cannot release a work into the public domain, and then
seems to contradict himself by saying you can do just that by writing a statement 'I hereby
give it away to anyone who wants it for any purpose whatsoever.'  Surely if you can say that
you can equally well say 'this work can be treated as if it were in the public domain'.  And
if it looks like a duck and quacks like a duck... a work which has no copyright restrictions
(either because they have expired with age, or been explicitly waived by the author) is indeed
in the public domain.

He makes a good point that promises are not enforceable (unlike contracts) and can be
withdrawn.  But if you accept that logic, then no free software licence can be relied on,
since they (almost) all claim to be licences and not contracts; there is no consideration you
pay in return for the right to copy the software.  I think there may be some confusion between
a promise of a gift (which can be withdrawn at any time) and a gift itself (which obviously
cannot; I can't give you a bicycle and then a week later steal it back with impunity).

He says, don't accept gifts of software assuming they are in the public domain.  Of course
not.  You need an explicit statement from the software's author saying that it is his express
wish that the software be treated as public domain.  If you have that, it should be
unambiguous enough even for lawyers to understand.

The FSF in <http://www.fsf.org/licensing/licenses/gpl-faq.html> say that it is possible to
disclaim copyright on a work and so place it in the public domain.  Presumably their legal
counsel has checked that page.  So you must decide which lawyer to believe.  For now I'm going
to side with common sense and assume that if djb or anyone else tells you he has released his
work into the public domain, you can take him at his word.

"public domain" software

Posted Nov 5, 2007 20:01 UTC (Mon) by charlieb (guest, #23340) [Link] 

> For now I'm going to side with common sense and assume that
> if djb or anyone else tells you he has released his
> work into the public domain, you can take him at his word.

You could also read his views on exactly that subject:

http://cr.yp.to/publicdomain.html

FUD we can manage better without

Posted Nov 6, 2007 10:58 UTC (Tue) by copsewood (subscriber, #199) [Link] 

Unless there are any legal precedents of relevance to the contrary, my own view (IANAL) is
that the idea, that someone can sue someone else who has placed source code into the public
domain for damage caused by it, is FUD without practical foundation. Anyone using public
domain software source code for a potentially damaging purpose could reasonably be expected to
have what it does examined by an expert in order to confirm its suitability before using it
for such an application. You might as well try to sue someone else for a published idea or
research which you misapplied and which went wrong when you did so; this course of action
would also not get the litigant anywhere in the courts.

I can imagine an exception if source code for a trojan was placed in the public domain,
particularly if the source features making this program a trojan were obscure, and good
evidence existed that the author intentionally and/or maliciously included these hidden and
potentially damaging features. But I don't think applying a free software license to such code
would protect the author of it from similar litigation under these circumstances either, as
any disclaimers in this license would be considered moot.

Personally I don't think spreading the FUD: that releasing well-intentioned software into the
public domain can make the author liable - will attract any programmer or decision-maker to
apply free software licenses to code who otherwise wouldn't, though it might turn some people
off free software altogether.

Qmail in public domain

Posted Nov 6, 2007 0:53 UTC (Tue) by ncm (guest, #165) [Link] 

If qmail is now in the public domain, that's good news: it means we can sue Bernstein for
qmail flooding our mailboxes with bounce messages, or for otherwise annoying us.

Seriously, the reason for not putting software into the public domain is that (as I understand
it) only a license gives you the power to make users of the software assume liability for
problems caused by running the code.  If you don't make the license to copy contingent on them
accepting liability, then people harmed by the software can come after *you*.  Of course they
might anyway, and if the person who copied the code has no money, a judge might allow it --
except of course *you* have no money either, right?  If you *do* have money, you're supposed
to hire a fixer to arrange that they sue somebody else instead.

(I am not a lawyer.  The above might just be superstition.)

Daniel Bernstein: ten years of qmail security

Posted Nov 6, 2007 18:40 UTC (Tue) by rickmoen (subscriber, #6943) [Link]

(The current paper, once again, compares qmail only with sendmail. How quaint.)

The licensing pronouncement is of course welcome news for qmail users, and Russ Nelson & company have announced that netqmail 1.06 will be produced soon, to add (relative to the aging 1.05 initial release) a pair of much-needed patches. My commendations to that group, as always.

Dan is of course quite correct that it's a settled principle of law that property can be abandoned. The problem that practice can create is that of predicting resulting effect in various legal jurisdications. Can it be claimed, and title assumed, by a subsequent "finder"? Can the original owner reclaim it? The original owner's heirs? Might it not, in some jurisdictions, become regarded as the property of the state (as is true in some places for abandoned automobiles, ships, and aircraft)?

Dan, in his words, would not be silly enough to go in front of a judge to reassert his title after explicitly abandoning it, but can he guarantee that isn't true of his heirs?

Different places have differing abandoned property and escheat laws: The effect of a public domain declaration may differ widely between countries.

It's an interesting and subtle area of law -- which is generally precisely what one doesn't want to be true of one's software licensing.

(My own modest compendium of people's writings on the subject: "Public Domain" on http://linuxmafia.com/kb/Licensing_and_Law/)

Rick Moen
rick@linuxmafia.com


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds