DJB Software: Powerful, Secure, Quirky, and Now in the Public Domain
by Reuven Lerner - Mar. 24, 2008Comments (5)- Related Blog Posts
- Keep Your HTML Tidy with Free Utilities
Daniel J. Bernstein is well known for writing top-quality, secure software for Unix systems. But a combination of unusual coding and administrative practices, together witih a source-only license, kept DJB's programs relegated to a small number of Unix gurus. Now that the programs have been released to the public domain, might they have a chance of becoming truly popular?
To the newcomer, Unix (and Linux) seems like it must have been designed to be hostile to users. GUIs, such as KDE and Gnome, have made it far more palatable to non-experts -- but at a certain point, you'll need to use programs with such odd and hard-to-remember names as grep, awk, ps, and cron. Each of these programs can typically take a large number of options. Many also depend on configuration files, whose format is far from standardized.
For all of this craziness, and despite differences between various flavors of Unix, there is a method to the madness. And after a while, it becomes second nature to look for files in /etc rather than /var, or to use the --help flag to get a list of command-line options. By its very nature, the Unix world is far more fragmented than the Windows and Macintosh worlds, leading to many differences between even seemingly similar Linux distributions. These systems are more similar than they are different, though, and a seasoned Unix user can find their way around almost any system, regardless of its particular breeding.
There are some exceptions to this general rule, however. One of the best-known violators of Unix conventions is Daniel J. Bernstein, a professor of mathematics and computer science at the University of Illinois at Chicago who is often known by his initials, DJB.
It should be easy to ignore DJB's software: It flouts Unix conventions, putting files in non-standard locations and using a vastly different style of configuration file. DJB's programs are written entirely in low-level and hard-to-follow C, partly because Bernstein doesn't trust the security of certain built-in Unix libraries. And the documentation that comes with DJB's software tends to be accurate and terse, but not very welcoming to newcomers.
But for all of its quirkiness, DJB's software remains popular because it works, and works very well. Moreover, Bernstein prides himself on writing software that is invulnerable to a wide variety of security problems.
Back when Sendmail was the best-known and default system for mail transfer, Bernstein released qmail, a highly secure alternative. I personally used qmail for a number of years, and was impressed by its configurability, as well as the great lengths to which it went to ensure system security. In an era when Sendmail security exploits were constantly in the news, qmail kept humming along without any such problems.
DJB added more software to his arsenal over the years, releasing a mailing list manager (ezmlm), a DNS server (djbdns), a network service controller (daemontools), and even a small HTTP server (publicfile). DJB has a loyal, if relatively small, base of fans, who offer support to others in the community. Over the years, other popular programs have become increasingly secure, and other secure programs have become increasingly popular. The choice is thus no longer between Bernstein's software and its insecure alternatives, but rather between his software and a variety of alternatives whose security is increasingly good. (I doubt that these other programs would meet Bernstein's criteria for security, however.)
One of the reasons why Bernstein's software hasn't become more popular is the odd license under which it was released until just recently. Most of DJB's software was released under the stipulation that they only be redistributed in unmodified source-code form. This was limiting in at least two ways: It meant that Linux distributions couldn't easily include DJB's software, because they were legally obligated to compile it from source into binary form at the time of installation. It also meant that anyone wishing to enhance or extend DJB's software needed to do so as a set of "patches," text files describing the differences between DJB's original C-language source code and the changes. The extra effort involved in installing and maintaining these programs was not worthwhile for most people, who gave up on them.
This may be changing, however: Late in 2007, DJB removed the source-only license from much or all of his software, puting it in the public domain. Linux distributions are thus free to include and distribute custom binary, patched versions of Bernstein's programs, including qmail and djbdns.
Does this mean that we can expect to see qmail and djbdns included in Linux distributions in the near future? I would guess not, for at least two reasons: First of all, as I mentioned above, Bernstein flouts the usual Unix conventions in a dramatic way, making his programs harder to understand and maintain by newcomers.
Secondly, and perhaps most significantly, is the fact that while DJB developed his programs when there were no alternatives to mainstream, buggy, and insecure Unix programs. While Bernstein might disagree, there are at least two secure, modern mail programs other than Sendmail, and the network-service program xinetd has also become popular.
There is thus less of a crying need for qmail and daemontools than was once the case -- and given that the other programs adhere to convention, I expect that most distributions will opt for the latter. Which is a shame, because all of my experience with DJB's software has been quite positive, and I think that more people should at least consider these programs before accepting their system defaults. But the fact that so much DJB software can now be included in binary distributions means that we may be seeing more of it in the years to come.
Do you think we will?
Share Your Comments
