Hi. On Tue, Oct 27, 2020 at 10:19:01AM -0400, Celejar wrote: > On Tue, 27 Oct 2020 17:02:22 +0300 > Reco <recovery...@enotuniq.net> wrote: > > > Hi. > > > > On Tue, Oct 27, 2020 at 01:31:19PM +0000, mick crane wrote: > > > > this was just a quick heads-up for those who are stuck > > > > on getmail like i am (and quite happy with it). :) > > > > > > > > > > as far as getmail goes maintainer thinks is an unnecessary panic. > > > > > > ""getmail goes out of official support by my distro" may be a theoretical > > > problem, or a philosophical one, but it it certainly is not a significant > > > practical problem. > > > > Indeed. Switch back to fetchmail, because the less you're depending on > > python and the software that uses it - the better ;) > > Here's the getmail author's opinion of why getmail is preferable to > fetchmail: > > http://pyropus.ca/software/getmail/faq.html#faq-about-why > > Doubtless opinionated, and certainly dated, but would you or anyone > else here care to comment?
It boils down to two things: 1) Configuration of fetchmail is teh hard. If I have to choose between hard-to-configure software and will-cease-to function software - I always go with the first variety. YMMV. 2) Fetchmail is insecure, getmail is bulletproof. As [1] and [2] show us - it's true somewhat. fetchmail has 5 times more known vulnerabilities than getmail. Problem with such numbers approach is - last reported CVE for fetchmail is dated 2012, and for getmail it's 2014. I.e. both can be considered secure enough in this regard. CVE-2020-5239 - [1] - corresponds to some *person* (let's put it this way) who apparently thought that putting outdated fetchmail in docker along with the unspecified Agile/Scrumm-level quality "fetchmail script" will make things secure by some magic. A morale of the story here - running a random docker image is comparable to running a random binary downloaded from the Internet as far as security concerned. And my favorite: "getmail users have not had to worry about any of these security holes or design and implementation errors". Instead getmail users have to worry about [3]. It's not php-level mess - [4], but venerable nevertheless. Reco [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=getmail [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=fetchmail [3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python [4] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=php