Re: [Dovecot-news] Headsup on feature removal
Hello Aki Can you elaborate about memory management issues in liblzma & dovecot? Regards El 19/03/2020 a las 20:07, Aki Tuomi escribió: After discussing it internally, we decided to postpone the xz removal for the time being. We understand the complexity of migrating away from it, so we want to give more time to do that. However beware that there are memory management issues in liblzma and we consider it unsafe to use. Feel free to use any of the other supported compresion algorithms instead. (We are also adding zstandard support in 2.3.11.)
Re: [Dovecot-news] Headsup on feature removal
For the record, the SQL method will not always work in every environment, and might entail a lot more overhead in some environments than the simpler 'checkpassword' methods. Q. How many people use the checkpassword method still on this list? Might recommend that be left in longer, however wave a hand if you need someone to take over support on that end.. On 2020-03-19 12:07 p.m., Aki Tuomi wrote: Hi! We appreciate the feedback we have received from everyone, and we have discussed it internally. The features we are removing are deprecated and should not have been used anymore. They all have alternatives that work equally well if not better. For the authentication drivers, you can use passwd, pam and Lua as replacements for most of them. Lua in particular allows good integration with just about any external system. VPopmail can be replaced with SQL authentication. For password schemes, we have guide: https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes Memcached should be replaced with redis. The expire, autocreate and autosubscribe plugins can be replaced with namespace settings: namespace { mailbox Name { auto = create or subscribe autoexpunge = value } } See the mailbox configuration documentation at https://doc.dovecot.org/configuration_manual/namespace/#mailbox-settings. fts-squat can be replaced with Solr. squat has been considered obsolete (and that has been also indicated in documentation) since at least 2014. After discussing it internally, we decided to postpone the xz removal for the time being. We understand the complexity of migrating away from it, so we want to give more time to do that. However beware that there are memory management issues in liblzma and we consider it unsafe to use. Feel free to use any of the other supported compresion algorithms instead. (We are also adding zstandard support in 2.3.11.) You can switch your repository configuration to not use the ce-2.3-latest symlink, but rather to use a specific version (e.g., ce-2.3.10) giving you the control about when the system upgrades to a new version without missing out on CVE fixes in updated packages. Finally, I want to point out that we will be happy if someone wants to start maintaining a feature we are planning to remove. Aki -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: [Dovecot-news] Headsup on feature removal
Hi! We appreciate the feedback we have received from everyone, and we have discussed it internally. The features we are removing are deprecated and should not have been used anymore. They all have alternatives that work equally well if not better. For the authentication drivers, you can use passwd, pam and Lua as replacements for most of them. Lua in particular allows good integration with just about any external system. VPopmail can be replaced with SQL authentication. For password schemes, we have guide: https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes Memcached should be replaced with redis. The expire, autocreate and autosubscribe plugins can be replaced with namespace settings: namespace { mailbox Name { auto = create or subscribe autoexpunge = value } } See the mailbox configuration documentation at https://doc.dovecot.org/configuration_manual/namespace/#mailbox-settings. fts-squat can be replaced with Solr. squat has been considered obsolete (and that has been also indicated in documentation) since at least 2014. After discussing it internally, we decided to postpone the xz removal for the time being. We understand the complexity of migrating away from it, so we want to give more time to do that. However beware that there are memory management issues in liblzma and we consider it unsafe to use. Feel free to use any of the other supported compresion algorithms instead. (We are also adding zstandard support in 2.3.11.) You can switch your repository configuration to not use the ce-2.3-latest symlink, but rather to use a specific version (e.g., ce-2.3.10) giving you the control about when the system upgrades to a new version without missing out on CVE fixes in updated packages. Finally, I want to point out that we will be happy if someone wants to start maintaining a feature we are planning to remove. Aki
Re: [Dovecot-news] Headsup on feature removal
On 18-03-2020 22:55, Noel Butler wrote: On 19/03/2020 03:56, JAVIER MIGUEL RODRIGUEZ wrote: I fully agree with this: Please consider holding off on removing features for the next major release, 2.4.0 instead. It makes sense to retain, in as much as is possible, feature backwards compatibility across a major release. I'm astonished that features are being removed in a dot release as well, no other major project does this, hell, most don't like adding new features in dot releases let alone stripping them out. None of the listed changes affect me that I can see, but I've been around a long time and I'm flabbergasted that someone actually approved this on dot release. Now although there is no real need for them to further upgrade to ensure business continuity, if a serious exploit is released in the wild they highly likely will get bitten. Stripping everything else at once in a new major is perfectly acceptable, and, is the norm. I have to say that I also cannot understand why you're going to remove features from a dot release. You can give the heads-up here, but it is not common-practice and will very likely break a lot of setups. It's understandable that you want to remove features that are hardly used or maintained, but not in a dot release. Please reconsider this removal, and remove those features as of the next major release. -- Kind regards, Rob
Re: [Dovecot-news] Headsup on feature removal
Thank-you for the heads-up notification. It is very helpful for planning. Unfortunately we do not allow any languages to be installed on production systems (per the security people). As we do use autocreate/subscribe plugins, could you please direct us to any workaround for our current use of plugin { autocreate = Sent autocreate2 = Drafts autocreate3 = SPAM autocreate4 = Junk E-mail autosubscribe = Sent autosubscribe2 = Drafts autosubscribe3 = SPAM autosubscribe4 = Junk E-mail quota = maildir:User quota ... I'm sure that many would appreciate any pointers or advise to any other plugin replacement methods or is the user-base expected to learn lua? We have used dovecot and greatly appreciate the work that the dovecot team have provided for us. Kind regards, Dewayne.
Re: [Dovecot-news] Headsup on feature removal
On 19/03/2020 03:56, JAVIER MIGUEL RODRIGUEZ wrote: > I fully agree with this: > >> Please consider holding off on removing features for the next major >> release, 2.4.0 instead. It makes sense to retain, in as much as is >> possible, feature backwards compatibility across a major release. I'm astonished that features are being removed in a dot release as well, no other major project does this, hell, most don't like adding new features in dot releases let alone stripping them out. None of the listed changes affect me that I can see, but I've been around a long time and I'm flabbergasted that someone actually approved this on dot release. Now although there is no real need for them to further upgrade to ensure business continuity, if a serious exploit is released in the wild they highly likely will get bitten. Stripping everything else at once in a new major is perfectly acceptable, and, is the norm. -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
RE: [Dovecot-news] Headsup on feature removal
I fully agree with this: > Please consider holding off on removing features for the next major > release, 2.4.0 instead. It makes sense to retain, in as much as is > possible, feature backwards compatibility across a major release.
Re: [Dovecot-news] Headsup on feature removal
xz compression support for mdbox is used extensively here. Why are you planning to remove it? El 17/03/2020 a las 7:50, Aki Tuomi escribió: Hi! Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository. We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything. To start, the following features are likely to be removed in next few releases of Dovecot. - Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia - Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5 - Authentication mechanisms: ntlm, rpa, skey - Dict drivers: memcached, memcached-ascii (use redis instead) - postfix postmap support - autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead) - expire plugin (use built-in autoexpunge setting) - fts-squat plugin - mailbox alias plugin - mail-filter plugin - snarf plugin - xz compression algorithm For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authentication/ For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11. Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged. Please contact us via the mailing list if you have any questions. Regards, Dovecot Team ___ Dovecot-news mailing list dovecot-n...@dovecot.org https://dovecot.org/mailman/listinfo/dovecot-news
Re: [Dovecot-news] Headsup on feature removal
18.03.20, 04:32 CET, Peter: > Please consider holding off on removing features for the next major > release, 2.4.0 instead. It makes sense to retain, in as much as is > possible, feature backwards compatibility across a major release. Seconded! That you are going to drop features from the code base that are old and rarely used is understandable. Doing so in a minor release is not. -- Regards mks
Re: [Dovecot-news] Headsup on feature removal
On 17/03/20 7:50 pm, Aki Tuomi wrote: Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository. We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything. To start, the following features are likely to be removed in next few releases of Dovecot. If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11. Allow me to formally express my objections here. You provide repositories that automatically upgrade dovecot through point releases on various different package management systems, so here's what is going to happen: Anyone that uses features you remove in 2.3.11 will have dovecot break on them simply by running "yum update" (or equivalent) at that time. This could be production systems that have been running for years on platforms such as CentOS 7. Then things will break again in 2.3.12 (assuming you remove features then), and in 2.3.13, etc. So you want to have a product that has a reputation for purposefully breaking installations just for running security updates? Please consider holding off on removing features for the next major release, 2.4.0 instead. It makes sense to retain, in as much as is possible, feature backwards compatibility across a major release. Peter