* Joerg Jaspert: >>> It isn't just about choosing not to install it, it causes work for the >>> various teams in Debian - security, release, QA.=20 >> We've discussed this at the Security Team meeting in Essen and we don't >> have a problem with qmail being included in Lenny. > > Are you aware that qmail and its related packages do have a LOT of code > duplication?
Personally, I'm more concerned about manual constant propagation in some parts of the code base (like using the integer literal 4 for the size of an IPv4 address), and similar coding style issues. But this is certainly not restricted to qmail (Bernstein's DNS code suffers from that to a higher degree, and it's in the archive). We have such issues in many, many packages, including recent additions to the archive. Like Moritz, I don't see issues with security support, provided that the number of additional patches is rather small. (To my knowledge, badly patched qmail with a SMTP AUTH bypass vulnerability was one of the few MTAs which were actually exploited to send spam in recent times.) I'm also not sure if upstream can be considered dead, and arguments along that line are not very convincing because similar criticism could be brought against our default MTA. I can understand that people have strong feelings. I'm willing to provide security support, but it's extremely unlikely that I'll run qmail on production MTAs ever again. 8-/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]