Post AZOpvK2aiDPEzHlpLc by aris@infosec.exchange
(DIR) More posts by aris@infosec.exchange
(DIR) Post #AZOaWR0o9paq3YbwdE by adam@hax0rbana.social
2023-09-03T16:28:32Z
0 likes, 0 repeats
So, I'm now the maintainer of the qmail package for Debian and Ubuntu.Since DJB certainly hasn't been maintaining it, and I'm not aware of any other maintainers, I guess that might mean I'm just the qmail maintainer. Full stop.It's not in the official repos, but if I can find a Debian mentor, I might try getting it back in there.I didn't intend for this to happen. I was just trying to submit a fix for a segfault upstream and he ended up transferring the repo to me.
(DIR) Post #AZOe4kRgi6282LEmNE by FenTiger@mastodon.social
2023-09-03T17:08:18Z
0 likes, 0 repeats
@adam Until I read this, I'd always assumed that the random person in Nebraska had actually volunteered for the role. Now I'm rethinking that assumption. Maybe I was wrong, and he just got kind of sucked in. Are you in Nebraska, by any chance? ;)
(DIR) Post #AZOk2OsMXCqSHjyglc by jens@social.finkhaeuser.de
2023-09-03T18:15:07Z
0 likes, 0 repeats
@adam Huh. Nice. I have a repo of qmail + patches.
(DIR) Post #AZOkbhW3DsfCERNHOq by lorddimwit@mastodon.social
2023-09-03T18:21:32Z
0 likes, 0 repeats
@adam Godspeed
(DIR) Post #AZOpvK2aiDPEzHlpLc by aris@infosec.exchange
2023-09-03T19:21:08Z
0 likes, 0 repeats
@adam You touched it last!
(DIR) Post #AZOu4Qbq3krzmYr3JY by jschauma@mstdn.social
2023-09-03T20:07:33Z
0 likes, 0 repeats
@adam @thedarktangent #opslesson 31: If you break it, you own it - for now; if you fix it, you own it - forever. 😄https://www.netmeister.org/blog/ops-lessons.html
(DIR) Post #AZOw3xmHSF4AGre2QS by fanf@mendeddrum.org
2023-09-03T20:29:50Z
0 likes, 0 repeats
@adam are netqmail and notqmail completely dead then?
(DIR) Post #AZe3vCPC9kV4oXVHE0 by jmtd@pleroma.debian.social
2023-09-03T19:48:27.052401Z
0 likes, 0 repeats
@adam think really, really hard on whether qmail in Debian proper is in the best interest of either qmail users or Debian before you consider going forward with that
(DIR) Post #AZe3vDdlZ3kYe1KQZk by ondrej@mastodon.rfc1925.org
2023-09-05T08:18:04Z
0 likes, 0 repeats
@jmtd @adam For $DEITY sake, could we just finally (finally!) get rid of the djb abadonware in Debian instead of dragging this on and on and on…?I loved daemontools, qmail, djbdns and his other stuff, and I’ve extensively used all of these, but that was 20 years ago.We have much better and maintained alternatives now.
(DIR) Post #AZe3vEZY6DyFXEMZdo by adam@hax0rbana.social
2023-09-11T03:38:31Z
0 likes, 0 repeats
@ondrej @jmtd Considering I updated it just a few days ago and plan on adding IPv6 support in the future, I wouldn't exactly call it abandonware, but I see where you're coming from. It's true that it doesn't get constant updates that bolt on more features.I think people should have easy options and I haven't seen a security track record of an MTA that rivals qmail.So yes, I do think it would be in Debian users' best interests to be able to choose this option (easily), and vice versa.
(DIR) Post #AZeJXBR3i2r07ewgng by adam@hax0rbana.social
2023-09-11T06:33:33Z
0 likes, 0 repeats
@fanf I was not aware of notqmail, but I found this on GitHub which is seemingly it: https://github.com/notqmail/notqmailI thought netqmail was just qmail with a few, small additional patches.Notqmail appears to still be getting commits. I also see it had at least three CVEs (fixed in their latest release).So now I have so many questions:1. Where do the lineages diverge?2. Have they added on lots of features?3. Are those bugs in the original code base?4. My codebase?An investigation will ensue!
(DIR) Post #AZeK5sipHG9WDenkcy by adam@hax0rbana.social
2023-09-11T06:39:52Z
0 likes, 0 repeats
@fanf Also, I noticed there are only source releases on their GitHub page. No packages for any OS.Interestingly, their .guthub/workspaces directory has solaris.yml and openbsd.yml. I'm not very familiar with GitHub's CI system, but it looks like it's building the software on those OSes...Anyway, if notqmail is a superset of what I've got, and hasn't gone feature crazy, I'd be interested in joining forces with them if they're interested. 🙂
(DIR) Post #AZeWkAUFqVDOLjxitc by fanf@mendeddrum.org
2023-09-11T09:01:28Z
0 likes, 0 repeats
@adam good luck!
(DIR) Post #Ab7csktCMg4q4PWx4C by ondrej@mastodon.rfc1925.org
2023-10-25T07:48:49Z
0 likes, 0 repeats
@adam @jmtd Well, have fun: https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
(DIR) Post #AbD6xJicmRX9fJTXu4 by adam@hax0rbana.social
2023-10-27T23:19:38Z
0 likes, 0 repeats
@jmtd @ondrejI've already included the patch and published the .deb package.Unfortunately I have yet to find anyone in Debian who can help me get patches into the official repos for any softwareFor example, I've contributed packaging updates to libpam-u2f and followed up with various people for months. But the maintainer has been out on leave for the past year, and nobody else on the packaging or auth teams has been willing/able to helpI'll probably try again someday, but it's exhausting
(DIR) Post #AbD7R57vb52b64VIzg by adam@hax0rbana.social
2023-10-27T23:25:00Z
0 likes, 0 repeats
@jmtd @ondrejOh, and qmail was in Buster, but not in later releases. Buster is still supported though. If the Debian security team (or anyone else) wants my patched version, it's available here: https://gitlab.hax0rbana.org/public-repos/ubuntu-netqmail/-/jobs/6810/artifacts/browseAnd if anyone would like to help me find a Debian mentor, I'm still willing to work with them if they're willing to work with me.