https://bugzilla.redhat.com/show_bug.cgi?id=1517572
Petr Pisar <ppi...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppi...@redhat.com
--- Comment #4 from Petr Pisar <ppi...@redhat.com> ---
lrzip is not only orphaned. It's actually retired. The reason is it contains
various security flaws, the upstream is not willing to fix them, other
maintainers cannot because the format of the archive has never been specified
and moreover it bundles ancient zpaq library (that's part of the vulnerability)
that even the lrzip's author cannot unbundle or replace with an up-to-date
version because he does not understand the zpaq internals to adjust it to
lrzip's needs.
In my opinion, amavis should not hard-require various unpacking tools. There
are myriads of obscure formats that would drag in obscure and usually
unmaintained tools and many of them are not even packaged in the distribution.
Using these crappy tools would actually create a new attack vector against the
SMTP server and thus actually lowered the security of the whole system.
I would prefer if these dependencies were made optional (Recommends or Suggests
on RPM level) and amavis should be able to cope with their unavailability (to
log that it saw an message that it was unable to unpack, or per an
configuration to discard the message because it was unable to inspect it).
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
