Re: getmail, getmail6, testing, unstable, python-is-python3

To: debian-user@lists.debian.org
Subject: Re: getmail, getmail6, testing, unstable, python-is-python3
From: Reco <recoverym4n@enotuniq.net>
Date: Tue, 27 Oct 2020 17:45:51 +0300
Message-id: <[🔎] E1kXQES-0000ed-4O@enotuniq.net>
In-reply-to: <[🔎] 20201027101901.53482e127781a9a0306c4700@gmail.com>
References: <[🔎] 9oil6h-ii3.ln1@anthive.com> <[🔎] 2219ee3ae714e0f960cd1ea88c09a712@gmail.com> <[🔎] E1kXPYM-0000ci-Dj@enotuniq.net> <[🔎] 20201027101901.53482e127781a9a0306c4700@gmail.com>

	Hi.

On Tue, Oct 27, 2020 at 10:19:01AM -0400, Celejar wrote:
> On Tue, 27 Oct 2020 17:02:22 +0300
> Reco <recoverym4n@enotuniq.net> wrote:
> 
> > 	Hi.
> > 
> > On Tue, Oct 27, 2020 at 01:31:19PM +0000, mick crane wrote:
> > > >   this was just a quick heads-up for those who are stuck
> > > > on getmail like i am (and quite happy with it).  :)
> > > > 
> > > 
> > > as far as getmail goes maintainer thinks is an unnecessary panic.
> > > 
> > > ""getmail goes out of official support by my distro" may be a theoretical
> > > problem, or a philosophical one, but it it certainly is not a significant
> > > practical problem.
> > 
> > Indeed. Switch back to fetchmail, because the less you're depending on
> > python and the software that uses it - the better ;)
> 
> Here's the getmail author's opinion of why getmail is preferable to
> fetchmail:
> 
> http://pyropus.ca/software/getmail/faq.html#faq-about-why
> 
> Doubtless opinionated, and certainly dated, but would you or anyone
> else here care to comment?

It boils down to two things:

1) Configuration of fetchmail is teh hard.

If I have to choose between hard-to-configure software and will-cease-to
function software - I always go with the first variety. YMMV.

2) Fetchmail is insecure, getmail is bulletproof.

As [1] and [2] show us - it's true somewhat. fetchmail has 5 times more
known vulnerabilities than getmail.
Problem with such numbers approach is - last reported CVE for fetchmail
is dated 2012, and for getmail it's 2014. I.e. both can be considered
secure enough in this regard.

CVE-2020-5239 - [1] - corresponds to some *person* (let's put it this
way) who apparently thought that putting outdated fetchmail in docker
along with the unspecified Agile/Scrumm-level quality "fetchmail script"
will make things secure by some magic.
A morale of the story here - running a random docker image is comparable
to running a random binary downloaded from the Internet as far as
security concerned.

And my favorite:
"getmail users have not had to worry about any of these security holes
or design and implementation errors".
Instead getmail users have to worry about [3]. It's not php-level mess -
[4], but venerable nevertheless.

Reco

[1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=getmail
[2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=fetchmail
[3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python
[4] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=php

Reply to:

Follow-Ups:
- Re: getmail, getmail6, testing, unstable, python-is-python3
  - From: Celejar <celejar@gmail.com>

References:
- getmail, getmail6, testing, unstable, python-is-python3
  - From: songbird <songbird@anthive.com>
- Re: getmail, getmail6, testing, unstable, python-is-python3
  - From: mick crane <mick.crane@gmail.com>
- Re: getmail, getmail6, testing, unstable, python-is-python3
  - From: Reco <recoverym4n@enotuniq.net>
- Re: getmail, getmail6, testing, unstable, python-is-python3
  - From: Celejar <celejar@gmail.com>

Prev by Date: Re: getmail, getmail6, testing, unstable, python-is-python3
Next by Date: Re: getmail, getmail6, testing, unstable, python-is-python3
Previous by thread: Re: getmail, getmail6, testing, unstable, python-is-python3
Next by thread: Re: getmail, getmail6, testing, unstable, python-is-python3
Index(es):
- Date
- Thread