On 05/16/2017 05:10 PM, Sam Varshavchik wrote: > They should not be. maildrop is a separate source package. It's a > tarball in of itself, that's built independently. > > Now, the fact that this tarball contains code that's also found in > another, larger, package, that's a different subject.
I don't quite see how that matters. It's the same set of source files, which would need the same set of security fixes, for example. What does the duplication of efforts buy us? I'd rather state that duplication of code is never a good idea, but a sign for bad modularization. > The Courier build of maildrop implements a Courier-specific option > that's got ...a bit of juice to it, taking advantage of its temporary > root permissions. > > Although the relevant bits in question do all their due diligence, > checking that the real uid/gid is the one that's baked into the source, > and thusly is only available to Courier, etc., it's good practice to > remove stuff that's not needed. Multiple layers of security. It's better > to keep that code out of the non-Courier specific maildrop, altogether. By that reasoning, Debian would have to ship about a dozen variants of maildrop packages. That's clearly not going to happen. While I generally agree that it's good practice to remove stuff that's really not needed, the courier variant *is* needed (by some users, including myself). Splitting sources and duplicating efforts only reduces overall test coverage and availability of security fixes, so I don't quite see this as an overall gain in security. If nothing else, it would have saved us the current confusion and trouble with maildrop being available in multiple incompatible variants, which aren't clearly distinguishable by name. I'll check if it's feasible to re-add the courier-maildrop package in Debian stretch (i.e. the Courier specific variant), but I'd greatly appreciate if you could reconsider this split. Kind Regards Markus Wanner
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users