Re: getmail, getmail6, testing, unstable, python-is-python3
Hi.
On Tue, Oct 27, 2020 at 10:19:01AM -0400, Celejar wrote:
> On Tue, 27 Oct 2020 17:02:22 +0300
> Reco <recoverym4n@enotuniq.net> wrote:
>
> > Hi.
> >
> > On Tue, Oct 27, 2020 at 01:31:19PM +0000, mick crane wrote:
> > > > this was just a quick heads-up for those who are stuck
> > > > on getmail like i am (and quite happy with it). :)
> > > >
> > >
> > > as far as getmail goes maintainer thinks is an unnecessary panic.
> > >
> > > ""getmail goes out of official support by my distro" may be a theoretical
> > > problem, or a philosophical one, but it it certainly is not a significant
> > > practical problem.
> >
> > Indeed. Switch back to fetchmail, because the less you're depending on
> > python and the software that uses it - the better ;)
>
> Here's the getmail author's opinion of why getmail is preferable to
> fetchmail:
>
> http://pyropus.ca/software/getmail/faq.html#faq-about-why
>
> Doubtless opinionated, and certainly dated, but would you or anyone
> else here care to comment?
It boils down to two things:
1) Configuration of fetchmail is teh hard.
If I have to choose between hard-to-configure software and will-cease-to
function software - I always go with the first variety. YMMV.
2) Fetchmail is insecure, getmail is bulletproof.
As [1] and [2] show us - it's true somewhat. fetchmail has 5 times more
known vulnerabilities than getmail.
Problem with such numbers approach is - last reported CVE for fetchmail
is dated 2012, and for getmail it's 2014. I.e. both can be considered
secure enough in this regard.
CVE-2020-5239 - [1] - corresponds to some *person* (let's put it this
way) who apparently thought that putting outdated fetchmail in docker
along with the unspecified Agile/Scrumm-level quality "fetchmail script"
will make things secure by some magic.
A morale of the story here - running a random docker image is comparable
to running a random binary downloaded from the Internet as far as
security concerned.
And my favorite:
"getmail users have not had to worry about any of these security holes
or design and implementation errors".
Instead getmail users have to worry about [3]. It's not php-level mess -
[4], but venerable nevertheless.
Reco
[1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=getmail
[2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=fetchmail
[3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python
[4] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=php
Reply to:
- References:
- getmail, getmail6, testing, unstable, python-is-python3
- From: songbird <songbird@anthive.com>
- Re: getmail, getmail6, testing, unstable, python-is-python3
- From: mick crane <mick.crane@gmail.com>
- Re: getmail, getmail6, testing, unstable, python-is-python3
- From: Reco <recoverym4n@enotuniq.net>
- Re: getmail, getmail6, testing, unstable, python-is-python3
- From: Celejar <celejar@gmail.com>
- Prev by Date:
Re: getmail, getmail6, testing, unstable, python-is-python3
- Next by Date:
Re: getmail, getmail6, testing, unstable, python-is-python3
- Previous by thread:
Re: getmail, getmail6, testing, unstable, python-is-python3
- Next by thread:
Re: getmail, getmail6, testing, unstable, python-is-python3
- Index(es):