November 13th, 2002, 02:23
No doubt some of you have heard of the latest exploit for BIND. OpenBSD is affected, however, given that it's not turned on by default and chrooted, the damage is contained.

This leads me to an interesting topic..

How long will the OpenBSD core team, continue to consider chroots and default-disabled services, as being pertinent to the projects stated goals?

Surely turning services off and localising the damage when exploited isn't good enough for a secure OS like OpenBSD.

The alternatives are there..

postfix as a replacement for sendmail
djbdns as a replacement for bind

The only problem here is that DJB's software (qmail and djbdns) cannot be patched by third parties (which is why I note postfix there, instead of qmail).

The core team has shown, through the ipf/pf and ssh/openssh examples to have the balls to take the necessary steps and back them up with results. Is it time they set the standard again?

Any opinions on this?


November 13th, 2002, 02:35
I'm all in for postfix. I'm a big fan. As for djbdns I've never run it. What about tinydns?

November 13th, 2002, 03:21
One of the first things I do on every OBSD box I install is to rip out sendmail and install postfix. Just thought I'd add that.

I just don't know that this is going to happen though, sendmail and bind are big standards. Perhaps an install option might be more likely to happen.