On Wed, Sep 03, 2003 at 09:55:36AM +0300, Petre Rodan wrote:
> I'm sorry to disturb you, but I couldn't help noticing that currently
> there are 15 patches to qmail, and this number has the tendency to
> rise with every ebuild.
I expect it to be around 20 when I'm done with the ebuild.

> I feel that DJ Bernstein did a great job creating the world's safest
> MTA. This is one of the main reasons sysadmins use it. My point is
> that even if there are reasons for upgrading the product (to add new
> features and such) the issues with not doing it are considerable and
> will likely out-weigh them. 
DJB himself has mentioned that he uses some of the patches in some
cases, and just for the most part does not have time to contribute to
maintaining qmail anymore.

I have personally considered forking qmail in the past, simply to
go thru a validation of the security of the patches and distribute them
officially integrated. I simply do not have enough time to attempt this
until I am finished university, unless somebody is willing to sponsor me
to do it as some part-time work (I presently work part time at the
university to cover some of my tuition).

> The commotion generated by smtp-auth patch is an example.
SMTP AUTH (both directions) and STARTTLS both require more setup than
just emerging the package. If you don't set them up, then qmail behaves
in a functionally identical way to how it did before.

The security hole (bugtraq id 8196) is caused solely by
misconfiguration. I've put code into place (not yet committed to CVS) in
the startup scripts for qmail-smtpd that will detect the possible
misconfiguration and error out.

> Now please don't get me wrong, I appreciate your work, I simply fell
> in love with Gentoo but I think that those who would like to emerge
> qmail should have the choice of selecting the exact features that can
> make them happy. Simply masking versions doesn't sound to good, maybe
> some USE switches would ease the way. I'm wondering maybe
> qmail-1.03-x.ebuild can be made to inherit some patch related switches
> from a file that is system-specific.
I will definetly look at an optional flag to disable the majority of the
patches that could have security issues anyway.

-- 
Robin Hugh Johnson
E-Mail     : robbat2@orbis-terrarum.net
Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ#       : 30269588 or 41961639
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85