On Tue, Jun 28, 2011 at 10:28 AM, Zhang Huangbin <[email protected]> wrote: > > On Jun 28, 2011, at 9:24 PM, Nico Kadel-Garcia wrote: >> >>> iRedMail is just shell scripts, it will install and configure mail server >>> related components automatically for you. That's why i call it a 'solution' >>> instead of a 'software'. Source code of iRedMail is available in Google >>> Code: http://code.google.com/p/iredmail/source/list >> >> And the *source* should be published > > > iRedMail installer is shell scripts, that means it's source code too.
It's not published that way. See my previous comments about checksums and GPG signatures. It's too easy, historically, to steal a domain or steal access to a software repository and change the source code without signatures. Dig back the the SSH vulnerabilities in SSHD that were used against sourceforge.net roughly..... 12 years ago? And the more recent break-ins to our favorite upstream vendor's build machines that caused re-signing of RPM's and new keys published. >>> Used major components: >> >> Good. Now put that on your web page, please. > > > It's now listed in home page of web site: http://www.iredmail.org/ > Thanks for your suggestion. Cool. > >> Even if I distruct your product outright due to these missing >> features, I'm happy for people to learn how to do these security >> practices better. > > > Thanks very much for your comments and time, will try to improve it. :) I'm cheered and pleased by your quick response to those concerns. While it's not a tool I, personally, need right now, I'll keep it in mind as worth investigating for peoople who haven't already hammered their way through all those individual components. I do urge you to review GPG signature handling, especially for RPM packages. It can be integrated well with the updated versions of 'mock' available for SL 6.
