Subject: Re: Fwd: Re: Microsoft: Closed source is more secure
From: kragen@pobox.com
Date: Sat, 5 May 2001 15:40:27 -0400 (EDT)

[I'm Ccing Dan to give him a chance to rebut my comments, because a
lot of this post consists of me putting words in his mouth.  Since the
post I'm responding to was posted on an open-membership,
publicly-archived mailing list, I'm assuming it's OK to quote it.]

shap@cs.jhu.edu writes:
> I don't have an opinion about the merits of djbdns.  Having read the
> comments by others, however, I want to point something out. Djbdns may
> or may not be secure, but it is decidedly *not* high assurance.
> Auditability and documentation of code are *essential* to high
> assurance. If the documentation is poor, if the design is not clearly
> articulated and published, and if the code is substantially difficult to
> comprehend and to cross-check against the design, then djbdns *cannot*
> be a high assurance system.

Dan has a tendency to write things in weird ways because he has come
to the conclusion that those weird ways are less likely to lead to
bugs than the more normal ways of doing things.  For example, he
doesn't use functions from the standard C library, other than Unix
system calls, because he thinks their design tends to produce and hide
bugs in programs that use them.

He also has a tendency to write software that is much smaller and
simpler than other similar software.  The source code to all of
djbdns, including several clients and several servers, totals 177
printed pages --- less than the BIND Operations Guide.  It might be
desirable to have documentation of the design that was smaller than
that, but that's still small enough to be easily understood.

I generally don't find his code particularly difficult to comprehend,
and I'm mystified by people who do.  I wonder if they're the same
people who have a hard time reading code with a different brace style
than they're used to.  DJB's code is, if anything, far simpler,
terser, and better-commented than most C code.

> That is: we don't *know* if it is secure. What we have is (a) a strong
> assertion by the author and a couple of supporters, and (b) a software
> artifact for which few (if any) security flaws have been reported.

None, as far as I know.  http://cr.yp.to/djbdns/guarantee.html seems
to imply that any reported security holes will be listed there
(although it actually only says that disputes will be reported there);
none are listed.  Two 'bug' items are listed in the CHANGES file,
which goes back to 1999-11-24.  Neither is a security flaw.

While Dan can be an asshole, it appears to me that he's a lot more
interested in the truth than in appearing to have been right; so I
think that the lack of listed security flaws there means there haven't
been any.

I have a lot more confidence in code that has been written and
released by Dan than in code that has been carefully audited by the
OpenBSD team.  This confidence comes from the years-long bug-free
history of qmail and ezmlm.  In fact, Dan's software is the only
reason I believe there is an alternative to the security-patch
treadmill.

> These assertions *may* be correct. I have no contrary evidence from
> personal experience. What I *do* know is that djbdns has not been
> through any rigorous evaluation process that would lead me to confidence
> about its security, and that there are several quirks about the
> software, its build environment, and its documentation that would lead
> me to initial skepticism.

Now you know why those quirks are there.