severity 1006633 important
retitle 1006633 procmail is unmaintained upstream
Hi.
I could understand that we want to get rid of unmaintained software, but
please do not inflate severities, at least while the discussion takes
place and a consensus that the package should be removed has not been
reached. This package is optional, and we are not forcing anybody to use
it. If we had kept the extra priority, I would be glad to put it in
"extra", but extra does not exist anymore.
There are some things which need a clarification because they are not
100% accurate.
El 1/3/22 a las 3:11, Antoine Beaupre escribió:
# unmaintained
procmail is unmaintained. the "Final release", according to
Wikipedia[1], dates back to September 10, 2001 (3.22). this is the
release that is shipped with Debian, although we do have *26*
debian-specific uploads on top of that (3.22-26, in all suites since
buster).
The Debian package is actually based on version "3.23pre" since version
3.22-21, dated 2013-10-15. I know this is a very minor correction, but I
think it's important to state the facts right.
While it's true that procmail has not been maintained upstream for a
long time, Debian is absolutely in his right to maintain its own version
without an upstream, that's one of the properties of free software.
the last maintainer of procmail explicitly advised us (in #769938) and
other projects (e.g. OpenBSD, in [2]) to stop shipping it.
Same as before, Debian is in his right to follow this advice or not.
That Debian bug report is still open, and concerns a NULL pointer
dereference.
I've just make an upload to fix such bug.
Debian security people: Is there a CVE for Bug #769938? Maybe this
should backported for stable as well.
I do not know if it is exploitable. Strangely, the
original procmail author (Stephen R. van den Berg, presumably) wrote
in that bug report *last year* saying that was "Fixed in upcoming 3.23
release", which has been targeted for release for all of those last 20
years.
I guess he did not refer to the version which was "upcoming 20 years
ago", but to the git version on which he was working in the last years.
In either case, I'm Cc:ing Stephen, who some time ago was preparing a
release which included all the Debian fixes so far.
Stephen: If you intend to release a new procmail version, please do so.
Thanks.
