← Back to context

Comment by binaryturtle

15 hours ago

That's a bit shameless, indeed.

dnsmasq has served me well for like an eternity in multiple setups for different use cases. As all software it has bugs. And once located those get fixed. Its author is also easy to communicate with.

Why should I switch over to something way less proven? I'm quite sure your software also has bugs, many still not located. Maybe because it's less popular/ less well known nobody cares to hunt for those bugs? Which means even if the numbers of found bugs is less in your software at the moment, and it may look more audited for this reason, it may actually be way less secure.

20 comments

binaryturtle

Reply
BrandoElFollito  3 minutes ago

> dnsmasq has served me well for like an eternity in multiple setups for different use cases. As all software it has bugs. And once located those get fixed. Its author is also easy to communicate with.

I concur. The last part, however, is quite worrisome. Dnsmasq is ran by one person, published on their own git and I did not see any information about other maintainers.

It is a super important (and great, and useful, and everything) software and i have fears of what will happen one day.

Sure, someone can clone and push to github but it may seriously fragment the ecosystem.

rgkpz  15 hours ago

"All software has bugs" is the most meaningless statement ever. It is just used for bonding with fellow bug writers who sit at a virtual campfire and muse about inevitabilities.

Demonstrably some software has fewer bugs, and its authors are often hated, especially if they are a lone author like Bernstein. Because it must not happen!

Projects with useless churn and many bug reports are more popular because only activity matters, not quality.

  • dc396  12 hours ago

    If DJB is "hated", it isn't because he's a lone author (Linus Torvalds was once a lone author and I don't think he was hated). It's because he can be an asshole. To quote George Bernard Shaw, “The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.”

    • strenholme  10 hours ago

      DJB is a lot of things, and I have great respect for him, even though I feel he didn’t responsibly maintain Qmail/DJBdns/Publicfile. He made MaraDNS more secure because I carefully read his documentation—I got the idea to have a random source port to give MaraDNS more security from him, which means MaraDNS was unscathed when DNS spoofing was independently discovered in 2007.

      The point DJB made was this: It was possible for a skilled C programmer to make a server with few security holes. Even though that’s not as relevant now, with Rust having most of the speed of C and security built in, it did make the Internet a safer place for many years. I remember using Qmail and DJBdns to make the servers at the small company I worked for at the time more secure.

  • shermantanktop  12 hours ago

    “Fellow bug writers” is everyone. People who write fewer bugs exist, and a lone few who write many fewer.

    I haven’t noticed antipathy, but I have noticed skepticism. I assume people with outlier records in any field get some extra inspection.

    If it becomes jealousy-fueled not-picking, those people are insecure jerks. But unusual track records are worth understanding.

  • zx8080  11 hours ago

    > "All software has bugs" is the most meaningless statement ever.

    It's not! It's the foundation of all dev AI products marketing.

  • zamadatix  14 hours ago

    "All software has bugs" so "be wary of the one trying to say they haven't had any in 3 years" not so "I guess all are equal". For extremely low security bug rates either the scope is extremely narrow, the claim is dubious, or the project is a massive effort which the community talks about directly in posts rather than plugs (e.g. curl).

    • strenholme  14 hours ago

      DJB, with Qmail and DjbDNS (as well as Publicfile, which didn’t catch on in an era of CGI scripts), showed that one could have (mostly) security bug free software without the scope being “extremely narrow”, and without the claim being “dubious”.

      It’s not normal for software to be so poorly written, one doubts the claim that a security bug hasn’t been found in over three years. If one thinks the claim of no security bugs of consequence in three years is dubious, feel free to do a security audit of MaraDNS (or DjbDNS, which I also will take responsibility for even though my software is, if you will, a “competitor” to DjbDNS), and report any bugs you find.

      Speaking of DJB, DjbDNS has had a few security bugs over the years (but not that many), but I’m maintaining a fork of DjbDNS with all of the security bugs I know about fixed:

      https://github.com/samboy/ndjbdns

      I am saying all this as someone who has had significant enough issues with DJB’s software, I ended up writing my own DNS server so I didn’t have to use his server (I might not had done so if DjbDNS was public domain in 2001, but oh well).

      (As a matter of etiquette, it’s a little rude to claim someone is saying something “dubious”, especially when the claim is backed up with solid evidence [multiple audits didn’t find anything of significance in the last year, as I documented above], unless you have solid evidence the claim is dubious, e.g. a significant security hole more recent than three years old)

      6 replies →

  • vasco  8 hours ago

    > Demonstrably some software has fewer bugs

    You literally write fewer instead of none, therefore agreeing with the sentence you claimed to say is meaningless.

daneel_w  15 hours ago

> Why should I switch over to something way less proven?

Must they prove their software to you? They're offering an alternative, not bargaining for a deal.

  • fc417fc802  14 hours ago

    When you offer up an alternative as technically superior in some manner then yes, it is on you to demonstrate such a claim in a convincing manner. "No bugs in 3 years in this software with a much smaller audience and also look AI audits!" comes across as off topic shameless self promotion. At least if an insightful technical discussion ensued the subthread might prove worthwhile but so far it's just the usual tired shit flinging.

    • strenholme  14 hours ago

      I have far more evidence of a very good security record with MaraDNS than “No bugs in 3 years in this software with a much smaller audience and also look AI audits!”

      • The software has been around for 25 years

      • The software is popular enough to have been subjected to dozens of security code audits, including two audits in the post-AI era

      • In those 25 years, only two remote “packet of death” bugs have been found

      • Also, in those same 25 years, only one single bug report of remotely exploitable memory leaks has been found

      This isn’t something which, as implied here, has a lot of security bugs only because no one has used or audited the software. This is a long term, mature code base which has only had a few serious security bugs in that timeframe.

      Here is my evidence:

      https://samboy.github.io/MaraDNS/webpage/security.html

      If this evidence isn’t “convincing” to you, I don’t know what evidence would be “convincing”.

      2 replies →