Package: sponsorship-requests
Severity: wishlist
Dear mentors,
I am looking for a sponsor for my package "phoenixdkim":
* Package name : phoenixdkim
Version : 1.0.0-1
Upstream contact : Edmund Lodewijks <[email protected]>
* URL : https://www.phoenixdkim.org/
* License : BSD-3-clause and SOSL
* Vcs :
https://github.com/edmundlod/PhoenixDKIM/tree/debian/latest
Section : mail
The source builds the following binary packages:
phoenixdkim - DomainKeys Identified Mail (DKIM) signing and verifying
milter
phoenixdkim-tools - Utilities for administering the PhoenixDKIM milter
libphoenixdkim0 - DomainKeys Identified Mail (DKIM) library
libphoenixdkim-dev - DomainKeys Identified Mail (DKIM) library
(development files)
miltertest - Utility for testing milter applications
phoenixdkim-keygen - Utility for generating DKIM and ARC keys (RSA
and Ed25519)
To access further information about this package, please visit the
following URL:
https://mentors.debian.net/package/phoenixdkim/
Alternatively, you can download the package with 'dget' using this command:
dget -x
https://mentors.debian.net/debian/pool/main/p/phoenixdkim/phoenixdkim_1.0.0-1.dsc
Changes for the initial release:
phoenixdkim (1.0.0-1) unstable; urgency=medium
.
* Initial upload to Debian (Closes: #1140100).
* First stable release. Closes the 1.0.0 beta series.
* Signing: under StrictHeaders, a message that cannot be signed
because it
violates RFC 5322 (e.g. a duplicate From, a spoofing vector) is now
rejected back to the sender per On-SignatureError (default reject)
instead
of being delivered unsigned; verification of such messages is
unchanged
(accepted, recorded in Authentication-Results).
* Fix: drain in-flight connections at shutdown before tearing down the
configuration, key, and databases, closing an exit-time use-after-free
race between the worker threads and main() (found with
ThreadSanitizer).
* Fix: make the die/reload/diesig signal flags atomic (sig_atomic_t).
* Fix: free the header canonicalization of a resigning header-bound
handle
(a leak in the dkim_resign + header-binding path).
* Fix: phoenixdkim-testmsg now reports the specific reason a message
could
not be signed or verified rather than a generic "Syntax error".
* Testing: add coverage-guided libFuzzer targets for the signature and
key-record tag-list parsers (PHOENIXDKIM_ENABLE_FUZZERS), a DNS
failure-mode classification test, an independent-implementation
interop
cross-check against dkimpy, and a ThreadSanitizer build option
(PHOENIXDKIM_ENABLE_TSAN).
* Documentation: describe StrictHeaders' per-direction disposition
and the
security/testing process on the project website.
Additional notes for reviewers:
PhoenixDKIM is a security-focused fork of OpenDKIM (ITP #1140100). It
is not a
drop-in replacement and is meant to coexist with the existing opendkim
package:
all binaries are namespaced (phoenixdkim-*), and the only file overlap
(miltertest) is handled with Breaks/Replaces against opendkim-tools.
Relative
to the 2.11 base, the fork ports all cryptography to the OpenSSL 3 EVP
API, adds
Ed25519-SHA256 signing and verification (RFC 8463), refuses RSA-SHA1 and
enforces
a 2048-bit key minimum (RFC 8301), and moves the build system to CMake.
Packaging / QA: the source is lintian-clean apart from pedantic tags
(long lines
in test fixtures, the uscan-symlink note); it builds in a clean sbuild
chroot,
runs the upstream test suite at build time, and enables full hardening and
reproducible-build flags. The upstream tarball is OpenPGP-signed and
verified
via debian/upstream/signing-key.asc.
This is my first Debian package and I am seeking a sponsor; review and
guidance
are very welcome.
Kind regards,
Edmund Lodewijks
--
Edmund Lodewijks <[email protected]>
TZ: UTC+2 / GMT+2
