[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: intent to package smtp-refuser

>  : Things to note, postfix has JUST entered public beta and is unproven.  In
>  : addition, there was recently a discussion about certain security issues
>  : (world-writable directory and insufficient DNS checking) on bugtraq.  I'd
>  : be wary of installing it in replacement of qmail quite yet.
>  : I do believe that someone is packaging it for Debian though
> It already has been packaged and uploaded, but got rejected, apparently due
> to some license ('intellectual property') problems, iirc.

> Maybe the maintainer can comment on this issue himself? :)

That would be me.  (Working on keeping up on my mail....)

The issue at hand is the following paragraph in the license:

    In the event an intellectual property claim is made or appears likely
    to be made with respect to the Software, you agree to permit IBM to
    enable you to continue to use the Software, or to modify it, or replace
    it with software that is at least functionally equivalent.  If IBM
    determines that none of these alternatives is reasonably available, you
    agree, at IBM's request, upon notice to you, to discontinue further
    distribution of the Software and to delete or destroy all copies of the
    Software you possess.  This is IBM's entire obligation to you regarding
    any claim of infringement.

Which says (in the worst case) that if IBM is worried there is likely to
be a suit, they can revoke the license.

I've just re-uploaded the 19981230 beta, which provides the option of
a world writable maildrop (OK if you don't have any untrusted users),
or a set gid program to deliver the mail to the maildrop, which
necessitated adding another group (used only on /usr/sbin/postdrop, and
/var/spool/postfix/maildrop), which makes the exposure from compromise of
the maildrop program no worse than the world writable maildrop.

If anyone would care to comment on the package/diff files, I'd sure
appreciate it, since this is my first package, after all...


Reply to: