Markus Wanner writes:
I'd quickly like to elaborate on why the former Debian maintainer decided to do that and hope for your understanding:Before, there was a courier-maildrop as well as a (stand-alone) maildrop package. Meaning those two are built from the very same source, but
They should not be. maildrop is a separate source package. It's a tarball in of itself, that's built independently.
Now, the fact that this tarball contains code that's also found in another, larger, package, that's a different subject.
Couldn't most of this configuration be moved to runtime, rather than compile time?
The Courier build of maildrop implements a Courier-specific option that's got ...a bit of juice to it, taking advantage of its temporary root permissions.
Although the relevant bits in question do all their due diligence, checking that the real uid/gid is the one that's baked into the source, and thusly is only available to Courier, etc., it's good practice to remove stuff that's not needed. Multiple layers of security. It's better to keep that code out of the non-Courier specific maildrop, altogether.
pgpIGACk1jI_e.pgp
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
