[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: qmail and related packages in NEW

* Joerg Jaspert:

>>> It isn't just about choosing not to install it, it causes work for the
>>> various teams in Debian - security, release, QA.=20
>> We've discussed this at the Security Team meeting in Essen and we don't
>> have a problem with qmail being included in Lenny.
> Are you aware that qmail and its related packages do have a LOT of code
> duplication?

Personally, I'm more concerned about manual constant propagation in
some parts of the code base (like using the integer literal 4 for the
size of an IPv4 address), and similar coding style issues.  But this
is certainly not restricted to qmail (Bernstein's DNS code suffers
from that to a higher degree, and it's in the archive).  We have such
issues in many, many packages, including recent additions to the

Like Moritz, I don't see issues with security support, provided that
the number of additional patches is rather small.  (To my knowledge,
badly patched qmail with a SMTP AUTH bypass vulnerability was one of
the few MTAs which were actually exploited to send spam in recent
times.)  I'm also not sure if upstream can be considered dead, and
arguments along that line are not very convincing because similar
criticism could be brought against our default MTA.

I can understand that people have strong feelings.  I'm willing to
provide security support, but it's extremely unlikely that I'll run
qmail on production MTAs ever again. 8-/

Reply to: