[Initng] IRC meeting

Sun Dec 2 16:35:13 GMT 2007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 02 December 2007, "Rob Ubuntu Linux" 
<rob.ubuntu.linux at googlemail.com> wrote:
> On Nov 30, 2007 9:59 PM, Eric MSP Veith <eveith at wwweb-library.net> wrote:
> > This is exactly why DJB chose to monitor the logging part separately.
> > Please see http://cr.yp.to/daemontools/faq/create.html#run. Quote from
> > the most
> >
> > important part:
> >> To fix this problem, use a separate log.
>
> Interesting to see the "daemontools" take on services.  Do you know
> why DJB's daemons, didn't "simply" use syslog(3) (via a restrictive
> wrapper in his program if needs be)?  

You can always use daemontools and syslog; e.g. qmail comes with a logging 
binary that injects log messages into syslog. It automatically sets 
priority and holds log messages until syslog is available. You don't _have_ 
to use multilog, although it has some nice features (e.g. exact timestamps 
in tai64 format, automatic log rotation, and so on. Recent syslog daemons 
have caught up on this, however.)

> Wietse Venama's security features, like the tcp_wrappers 
> (hosts.{allow,deny}) package for inetd(8) fitted in with the system, 
> for kernel & general logging, so always seemed more tasteful to me as 
> they avoided adding yet another critical daemon to watch.

The tcp_wrappers aren't that commonly used that they are more than a nice 
exciter in my eyes. But this isn't the point: inetd suffers alot of 
shortcomings, for example it cannot cope with lots of concurrently incoming 
connections and tends to reset all connections every now and then. I'm not 
sure whether this was fixed or not, though; but I switched to DJB's 
ucspi-tcp package because of this, and even nowadays it gives my shudders 
to see an inetd running and I tend to shut it down as fast as I can. :-)
But as I said, I haven't run any tests lately, and I don't know how xinetd 
performs, so this is more a personal preference because of remeberance than 
anything else.

> Postfix became main SMTP daemon in a few distros, and is still the
> default in OpenSuSE. 

This has another reason AFAIK: DJB forbids the distribution of pre-compiled 
Qmail packages, because he feares that the distributors would add bugs and 
security holes by patching Qmail. The SuSE guys didn't want to stick with 
sendmail, so they switched to Postfix.

> There's a recent paper by DJB on security and design decisons of
> qmail, in part of it, he suggests he should have "fixed" the file
> system, rather than program to avoid having zillions of small files,
> which to me suggests "ivory tower" tendency, rather than practical in
> the trenches compromises.  Filesystems take years to get right.

I'm interested in this; could you provide an URL please? :-)

	Eric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHUt7CfkUtd7QNU/sRAiwOAJ9Q2OPrbHexW5oRjnEkY2/IJWGMNQCfRt57
Zr+q98YzxmRTSZOaP/+twK8=
=2IaZ
-----END PGP SIGNATURE-----