hngopher.com

       [HN Gopher] How to Write Software with Zero bugs - 25 years afte...
       ___________________________________________________________________
        
       How to Write Software with Zero bugs - 25 years after qmail 1.0 -
       D. Bernstein [pdf]
        
       Author : bykhun
       Score  : 13 points
       Date   : 2023-08-22 20:48 UTC (2 hours ago)
        
 (HTM) web link (cr.yp.to)
 (TXT) w3m dump (cr.yp.to)
        
       | kens wrote:
       | The title of the actual paper is "Some thoughts on security after
       | ten years of qmail 1.0". The post currently has the made-up title
       | "How to Write Software with Zero bugs - 25 years after qmail 1.0
       | - D. Bernstein [pdf]".
        
       | daneel_w wrote:
       | Does anyone know how qmail has fared since this PDF was written
       | in 2007? Did it make it to 2023 without any bugs surfacing?
        
         | troutwine wrote:
         | It didn't make the transition to 64 bits worth of memory with
         | the record intact. https://lwn.net/Articles/820969/ Although
         | the CVE _is_ from 2005 so perhaps it doesn't count.
        
         | commandersaki wrote:
         | https://lwn.net/Articles/820969/
        
       | hdmoore wrote:
       | Erm, qmail had lots of bugs[1], when compiled for 64-bit
       | processors (lots of integer overflows), but djb pushed back and
       | said 64-bit wasn't supported. If anything, qmail is known as the
       | most annoying MTA to package, since no modifications to the
       | source are permitted, and the application has to be built using a
       | massive patch tree instead. The quirky management daemons
       | required to run qmail were also obnoxious and at odds with
       | everything else on the system.
       | 
       | Salient quote below:
       | 
       | >In May 2005, Georgi Guninski published "64 bit qmail fun", three
       | vulnerabilities in qmail (CVE-2005-1513, CVE-2005-1514,
       | CVE-2005-1515):
       | 
       | [snip]
       | 
       | >Surprisingly, we re-discovered these vulnerabilities during a
       | recent qmail audit; they have never been fixed because, as stated
       | by qmail's author Daniel J. Bernstein (in
       | https://cr.yp.to/qmail/guarantee.html):
       | 
       | >>"This claim is denied. Nobody gives gigabytes of memory to each
       | qmail-smtpd process, so there is no problem with qmail's
       | assumption that allocated array lengths fit comfortably into 32
       | bits."
       | 
       | 1. https://www.qualys.com/2020/05/19/cve-2005-1513/remote-
       | code-...
       | 
       | edit: added quote from referenced url
        
         | jiggawatts wrote:
         | Reminds me of the era when dual-core processors started
         | becoming generally available. Suddenly the bugs in multi-
         | threaded software were much more apparent.
         | 
         | Vendors replied to complaints with: "We don't support those
         | processors".
         | 
         | No buddy, you don't support _stable_ software. It's buggy even
         | on a single core, it's just less obvious.
        
         | tokamak-teapot wrote:
         | I used to install qmail fairly often on different Unix-like
         | systems. I remember the installation instructions clearly
         | setting out the limits that should be set on its processes, and
         | I remember following them.
         | 
         | It sounds like the Debian packager didn't follow the
         | instructions. That doesn't seem like the fault of the software.
        
       | latenightcoding wrote:
       | Classic paper but what the hell is this title .
        
       ___________________________________________________________________
       (page generated 2023-08-22 23:00 UTC)