On 2024-11-14 03:08, Sam Varshavchik wrote:
Debian stable is using "1.0.16" currently, which is from March 2021. Duh. :-(Ralf Bergs writes:On 2024-11-12 14:05, Sam Varshavchik wrote:Ralf Bergs writes:Since probably 15+ years already I'm seeing "imapd-ssl: Timeout initializing the FAM library. Your FAM library is broken" warnings from Courier.The best way is to update to the current version which no longer uses gamin. And the best way to update is to uninstall both courier-imap and courier-unicode, and then build debs from the current version of both packages, following the instruction in INSTALL. Be sure to read everything in INSTALL about this.Thanks, but that's unfortunately not really an option for me. :-(I very strongly prefer to only install Debian packages directly from the Debian repository. Otherwise the burden would be on me to watch the upstream codebase and recompile every time there's an update. I can't spend that time, I'm not doing it for a living, it's a privately-run server, and it's not even a hobby anymore...This conservative approach at some point stops working. Looking through the Changelog: FAM/Gamin was replaced with inotify in 2021. I do not remember what versions are in Debian, but I'm pretty sure they're even older than that.
Since Courier has not had a security issue in a long time I'm guessing that there's never been a reason for Debian to update the package. However the rest of the distribution keeps on with the forward march of progress. So it's only a matter of time before there's an interoperability issue of some kind.
Yup, I mostly agree.
But one can go even beyond that. Depending on one's paranoia level, and the amount of PHBs in the vicinity, it can be argued that there was a security issue, and Debian /should/ be pushing out updated packages.But it's just guessing, no evidence, right? Which might not be the best motivation for the Debian guys... ;-)
The same release of Courier that switched to inotify was also the release that implemented the TLS ALPN extension (https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation),I work as a security guy in my day job, and I would not buy into that assessment. Calling these tools "vacuous" is a correct qualification, methinks. :-)A number of self-promoting, mostly vacuous "security scanners" detect lack of ALPN support as a security issue.
Since I don't maintain the Debian distribution packages, I won't be able to do much there. The only thing I can do is to have a turnkey solution to building .debs for Debian or Ubuntu, directly from the source tarball. Which I did.Thank you very much for your good work, I appreciate it. And I might reconsider my view and do the "manual" upgrade anyway if/when I have some time during the Xmas break, which is not too far away...
Kind regards, Ralf
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
