Hi Laura,
I understand your frustration but if you are relying on Dovecot for a
commercial solution, I believe your anger is misguided. The open
source project has no duty nor do they have to guarantee anything.
Open source means everyone can contribute, but in this case, only one
major contributor exists.
My advice for anyone facing similar frustrations is to contribute the
proper code to 2.3 to make it compatible with OpenSSL 3.0. Failing
that, you can hire competent programmers and have them contribute the
code to the public GitHub repository.
No, I don't work for OpenXChange but I do maintain a few open source
projects and am accustomed to people's expectations to get commercial
grade software...for free.
Cheers
On Wednesday, 26/06/2024 at 08:34 Laura Smith via dovecot wrote:
You are conflating OS with packages. I don't think you'll find any
OS making promises about packages.
And even if it were the case, you are expecting a community patch
based on what exactly ? OpenSSL are not releasing the code to
non-premium customers, and as Aki has repeatedly told us here, OpenSSL
3.0 is vastly different to 1.1.1, so its not like you can expect to
magically invent patch based on the OpenSSL 3.0 code (even if it may
be true for a limited number of circumstances, it won't be true for
all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version
of OpenSSL, anything else is wishful thinking based on excess
expectations, frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff wrote:
> They likely do not, but vulnerabilities reported are also patched
for the duration of the OS lifecycle. With or without premium access.
Since that's what the OS has committed to, unless they pull a redhat
and deprecate an OS before initial EOL date.
>
> Sent from Outlook for iOS
>
> From: Laura Smith
> Sent: Wednesday, June 26, 2024 2:06:44 PM
> To: Lucas Rolff
> Cc: Aki Tuomi ; Laura Smith via dovecot ; Michael
> Subject: Re: Debian Bookworm packages, please !
>
> So you're saying other operating systems magically get access to
OpenSSL premium ? I somehow doubt it.
>
>
>
>
> On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
>
> > That Debian doesn't patch their LTS releases properly like other
operating systems, should probably be brought up with the Debian
release and security teams.
> >
> > Sent from Outlook for iOS
> >
> > From: Laura Smith via dovecot
> > Sent: Wednesday, June 26, 2024 1:31:48 PM
> > To: Aki Tuomi
> > Cc: Laura Smith via dovecot ; Michael
> > Subject: Re: Debian Bookworm packages, please !
> >
> > The fundamental problem here is that this turns into a security
problem, which in 2024 is not a nice thing to have.
> >
> > Yes, theoretically I could run the previous Debian release, 11
Bullseye which is now EOL but in LTS until 2026.
> >
> > However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS
patches delivered by Debian are based on public patches, so basically
there will be no OpenSSL patches because OpenSSL moved 1.1.1 to
premium support only, *INCLUDING* security patches, as described on
their website ("It will no longer be receiving publicly available
security fixes after that date")
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
> >
> > Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian
provided 2.3 package. "be careful it's broken" is not a warning a good
sysadmin takes lightly.
> >
> > Meanwhile, if we're lucky, we might get 2.4 this side of Christmas
2024.
> >
> > Its all a bit of a mess. Its all a bit worrying.
> >
> > Meanwhile alternatives are few and far between, and I suspect
Dovecot knows that ! The Dovecot community are left between the
proverbial rock and a hard place.
> >
> > Cyrus is now dependent on the commercial goodwill of FastMail,
which brings thoughts of comparisons with Dovecot and OpenXChange.
> >
> > Stalwart, whilst extraordinarily promising, needs another year or
so of development to reach v1 and mature the code.
> > _______________________________________________
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
