Re: Bug#557948: Severity of 557948 and plans for this bug
On Mon, 22 Mar 2010, Don Armstrong wrote:
> On Thu, 04 Mar 2010, Aníbal Monsalve Salazar wrote:
> > On Mon, Mar 01, 2010 at 03:49:08PM -0800, Don Armstrong wrote:
> > >Do you expect the ctte to override the severity or demand a specific
> > >fix? The former can be done, but the latter will (almost certainly)
> > >require a patch before that happens.
> > I plan to fix it later in the evening.
> Anibal: what's the current status of this? Can we assume that the
> underlying issue will be resolved shortly?
I haven't heard from Anibal, and I don't see any public progress
regarding this; I think we may need to actually address the severity
of this bug. [At any point, if it gets fixed, it'll obviate our
ssmtp requires access to configuration files which may contain
authentication information necessary to connect to remote mail
As such, these files should not be readable by normal users, but
ideally only ssmtp (or possibly users who are authorized to send
Currently, these files are root:mail 640, and the configuration
requests that users be added to the mail group to be able to send
mail. Unfortunatly, this ends up in the users in this group being able
to read and write to all mail spools by default.
We have the following options if we want to just decide the severity:
1. The package must not be released with this bug; it should have a
severity of at least serious.
2. The package can be released with this bug; it does not need a
severity of serious or greater. The maintainer can elevate the
3. Further discussion
I'd like to at least resolve this part of the bug by calling for a
vote in the next 48 hours. I think that we can actually discuss a fix
for this bug later if the maintainer (or someone who uses ssmtp who
wants to submit a patch) has any questions after that fact.
Clothes make the man. Naked people have little or no influence on
-- Mark Twain