"Of course, ``security hole in qmail'' does not include problems outside of qmail: for example, NFS security problems, TCP/IP security problems, DNS security problems, bugs in scripts run from .forward files, and operating system bugs generally. It's silly to blame a problem on qmail if the system was already vulnerable before qmail was installed!"
But, I think he can take great satisfaction in thinking of a potential hole that even djb didn't consider. That's pretty impressive (though less impressive since everybody was sitting around trying to think of places where a shell might be invoked in non-obvious ways...I spent half an hour talking to my co-founder and employee during our regular meeting trying to think of ways our users could be effected outside of the already discussed ways, and we spent quite a bit of time testing various theories; one of the vectors we discussed was procmail being called by Postfix).
Edit: And, just in case anyone was wondering, Wietse seems to have considered the environment variable problem, and took measures to prevent exploits in Postfix, so it does not seem to be exploitable by Shellshock, even when calling out to procmail.
Distributions couldn't distribute qmail in the past because the license agreement made it impossible (or at least required such stupid things that no one in their right mind would do so). Its license became public domain in 2007, and I suppose would allow distributors to do sane things with the packages, but Postfix had already supplanted Sendmail as the preferred MTA on Linux and nobody really cared about qmail...since qmail isn't demonstrably more secure than Postfix (and both are maintained by well-known and well-respected security researchers).
And, to be clear, most distributions no longer use Sendmail as the default. Postfix is the default on RHEL/CentOS/Scientific Linux. exim was the default in Debian for many many years, not sure if it still is. Postfix is the default on Ubuntu, I believe. I can't think of any distros for which sendmail is the default MTA.
Postfix has a marginally poorer security track record than qmail does, but Postfix is the saner default choice for normal users. Both of them are head and shoulders better than every other MTA.
I would argue that this is at least partly because Postfix has a larger surface area...it does more, and thus, should reasonably be expected to have had a few more run-ins with security problems. Unless things have changed a lot over the past several years, qmail isn't capable of even functioning in a number of modern email environments, without significant patching.
Once qmail has been patched up to modern MTA standards, it no longer has the pedigree of being built and maintained by djb. I don't know the people who maintain the huge patch sets for qmail...maybe they're good. I know Wietse is more than competent.
But, that may be what you're getting at with "Postfix is the saner default choice for normal users". We support all of them (Sendmail, Postfix, qmail, and exim) in Virtualmin to varying degrees, but we configure Postfix, by default, and very strongly encourage its use over the alternatives (mostly because we know Postfix so much better, and because so many more people use it). About 95% of our users stick with Postfix, though we do have some users of all of the others.
In fact, it's explicitly listed in the man page for qmail-command:
ENVIRONMENT VARIABLES
qmail-local supplies several useful environment variables to
command. WARNING: These environment variables are not
quoted. They may contain special characters. They are
under the control of a possibly malicious remote user.
edit: which is to say, yes, djb thought of it a long time ago.
Yes, this is not exploitable without vulnerable bash.
But to paraphrase from the thread:
However, qmail is not parsing mail from:<> and rcpt to:<> in accordance with RFC821/RFC2821. Almost anything is allowed between the <>. There is no reason that qmail should allow the string "() { :; }; nc -e /bin/bash localhost 7777" to ever pass through mail from:<> or rcpt to:<>, and thus into the environment, in the first place.
While the manpage does say what you pasted above, there's a difference between "may contain special characters" and "may contain anything the user puts in this part of the SMTP dialog".
The reason that bash has put security holes in your system, and qmail hasn't, is largely that bash goes around parsing random strings, and qmail doesn't. Strings you treat as opaque data are guaranteed not to overflow your parsing stacks (like the ten-redirect limit just discovered), have null-byte injection vulnerabilities, or even just be parsed incorrectly.
(However, it's certainly true that carelessly passing strings through to things that do interpret them will cause vulnerabilities. SQL injection, shell injection, that really bizarre XSS hole I found in CGI.pm last millennium, XSS in general...)
It's a known behavior, and there are other write-ups (the list from lisp.org for example) that are written from the perspective that Shellshock is not a bug at all, but just an oldschool feature from a by-gone era.
In reality, both of them were way too much work. We were excited to try them but don't miss them at all. I think the blog describes it well: this is not a real pain point (at least for us - 2 adults, one baby).
Blue apron freaked me out because they deliver a huge box that is 80% packaging and cold packs. Inside that box are many other little boxes that contain, for example, a single tomato.
They require you to be pretty adept with a chopping knife and good at prep work, while assuming that the only ingredient you own is cooking oil. So you get cocaine-like bags full of two tablespoons of flour.
It's like a sous chef simulator that fills your house with packaging. I buy as much as I can from them, since I figure they are running at a loss and I want venture capitalists subsidizing my dinner.
But it freaks me out to stab all those melted cold packs and bleed them out into the sink every night.
"They require you to be pretty adept with a chopping knife and good at prep work, while assuming that the only ingredient you own is cooking oil."
Yes, that was pretty much what we experienced as well. The prep time was often much longer than 20~30 minutes, and really took the fun out of it.
Admittedly, it was all very tasty but for us, it created more pain than it solved. We tried Plated to see if it was better but it pretty much was the same experience.
I found both prep time and quantity of food varied really widely. Sometimes I was chopping for what felt like hours, other times you just had to mix stuff together and fry it for five minutes. And then make a second dinner, because you'd been given two spoonfuls of seeds and a pearl onion.
I think those of us who like fresh cooked meals have already adapted to how to make them, the market for people who need and want to convert to that stage is small.
That's precious. Dude, its about the journey, man. Take the 40 Mil spend it on booze. Live fast, pivot and ride the wave to the soft landing. Then do it again. Beats a real coding job any day.
Yeah, 4x10 sounds awful -- in fact, working 10 hour days in general sounds awful. I doubt that advocates of a shorter work week have "work the same number of hours, but in a different configuration."
The problem is that even without enough work to go around, people in the U.S. believe that we should be working at minimum 40 hours a week. I think it's going to be really difficult to get people to change that. I can imagine a lot of people staying late or working at home on the weekends to "catch up" with a shortened week.
Maybe it would be easier to start a "9-3" campaign than a "Monday-Thursday" campaign.
That was my thought as well. I'm sure the decision was made to connect as seamlessly as possible, without the user having to stop and click a dial confirmation.
more pedantically Approtable : native :: Xamarin : CLR
As part of a thought experiment I got Mono running on top of Apportable's platform (I used to work on Mono myself ironically). We just work at a lower level at Apportable.
Xamarin has great high level tools for developing apps if you want to write in C#. We rely on the tools the developers already use and know (mainly Xcode) to develop for other platforms while also providing you a native userland that has most of the same native APIs and frameworks you find on iOS (and most Unix like environments) that you don't get on Android out of the box.
