Ralf Bergs writes:
On 2024-11-12 14:05, Sam Varshavchik wrote:Ralf Bergs writes:Since probably 15+ years already I'm seeing "imapd-ssl: Timeout initializing the FAM library. Your FAM library is broken" warnings from Courier.The best way is to update to the current version which no longer uses gamin. And the best way to update is to uninstall both courier-imap and courier- unicode, and then build debs from the current version of both packages, following the instruction in INSTALL. Be sure to read everything in INSTALL about this.Thanks, but that's unfortunately not really an option for me. :-(I very strongly prefer to only install Debian packages directly from the Debian repository. Otherwise the burden would be on me to watch the upstream codebase and recompile every time there's an update. I can't spend that time, I'm not doing it for a living, it's a privately-run server, and it's not even a hobby anymore...
This conservative approach at some point stops working. Looking through the Changelog: FAM/Gamin was replaced with inotify in 2021. I do not remember what versions are in Debian, but I'm pretty sure they're even older than that.
Since Courier has not had a security issue in a long time I'm guessing that there's never been a reason for Debian to update the package. However the rest of the distribution keeps on with the forward march of progress. So it's only a matter of time before there's an interoperability issue of some kind.
But one can go even beyond that. Depending on one's paranoia level, and the amount of PHBs in the vicinity, it can be argued that there was a security issue, and Debian /should/ be pushing out updated packages. The same release of Courier that switched to inotify was also the release that implemented the TLS ALPN extension (https://en.wikipedia.org/wiki/Application- Layer_Protocol_Negotiation),
A number of self-promoting, mostly vacuous "security scanners" detect lack of ALPN support as a security issue. One could try creating a Debian bug that their version of Courier is too old and does not comply with modern security standards, and that an updated package with the current version, that enables ALPN, is in order. Since I don't maintain the Debian distribution packages, I won't be able to do much there. The only thing I can do is to have a turnkey solution to building .debs for Debian or Ubuntu, directly from the source tarball. Which I did.
pgpmWUGuB4M2O.pgp
Description: PGP signature
_______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
