Re: Debian Bookworm packages, please !
On Tue, Jun 25, 2024 at 01:58:21PM +, Laura Smith via dovecot wrote: > Debian Bookworm (12) was released June 2023. > > It is therefore somewhat disappointing to see no Bookworm packages in > https://repo.dovecot.org/ce-2.3-latest/debian/ Apologies for resurrecting what seems to have become something of a heated thread. I am one of the maintainers of Dovecot within Debian. Debian 12 (bookworm) ships with Dovecot 2.3.19. Builds of 2.3.21 are available via the bookworm backports repository. I encourage you to try these packages. Reports of problems with either of the available versions have proven to be quite rare. I have personally never encountered any, though my production mail infrastructure may not be as large or complex as others. This is not to say that you'll never enounter any issues, but as usual, if you do encounter any, please report them via bugs.debian.org. noah ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
AW: [EXT] Re: Debian Bookworm packages, please !
Here also. We are using the debian 12 provided package since 11/2023 and until now we have no problems with handeling 50k and more simultaneous TLS connections. I would also be interested in some more information what the problems are debian had with this package, beyond the mail crypt plugin. Greetings, Oliver -Ursprüngliche Nachricht- Von: Bernardo Reino via dovecot Gesendet: Donnerstag, 27. Juni 2024 13:18 An: Peter via dovecot Betreff: [EXT] Re: Debian Bookworm packages, please ! On Thu, 27 Jun 2024, Peter via dovecot wrote: > On 27/06/24 06:48, pgnd via dovecot wrote: >> for anyone interested, for dovecot v2.3.14+ @ Fedora, >> >> >> https://src.fedoraproject.org/rpms/dovecot/blob/rawhide/f/dovecot-2.3 >> .14-opensslv3.patch > >> dovecot hums along nicely. >> i've not seen a _crash_ in _many_ moons (quick looking thru ~ 18mos >> of >> logs) ... > > I can report the same thing with EL9 and ghettoforge dovecot which > uses the same patch. I haven't had any crashes either, but if you're > really concerned you can always set Restart=on-failure in the systemd > service (I haven't had to yet which says something, imo) FWIW I've been using the debian-provided dovecot since the release of bookworm and have not had a single crash. > That said I don't use the mail crypt plugin so I can't attest to what > happens with that. Ditto. Cheers, Bernardo ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
On 26/06/2024 20:48, pgnd via dovecot wrote: for anyone interested, for dovecot v2.3.14+ @ Fedora, https://src.fedoraproject.org/rpms/dovecot/blob/rawhide/f/dovecot-2.3.14-opensslv3.patch Until this discussion started I didn't realize that I've been using the unsupported version of openssl 3 for quite some time with dovecot 2.3.21 on Fedora 39 and probably previous versions of Fedora too, without any issues. As others have mentioned it may depend on which features are in use. I actually also compiled a vanilla 2.3.21 (i.e. without the fedora patches) for development work and didn't see any issues, though I wouldn't use it for a live system without the patches. I can understand that with 2.4 getting quite close (and after having originally an earlier plan for it) that Ox wasn't planning to invest in backporting stuff to 2.3 branches. There is nothing stopping the community from doing that where needed. But given the issues mentioned, can anyone point to reproducable issue reports with the current packaged versions in Debian? (apart from the non working mail crypt plugin mentioned by Aki). Thanks John ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
On Thu, 27 Jun 2024, Peter via dovecot wrote: On 27/06/24 06:48, pgnd via dovecot wrote: for anyone interested, for dovecot v2.3.14+ @ Fedora, https://src.fedoraproject.org/rpms/dovecot/blob/rawhide/f/dovecot-2.3.14-opensslv3.patch dovecot hums along nicely. i've not seen a _crash_ in _many_ moons (quick looking thru ~ 18mos of logs) ... I can report the same thing with EL9 and ghettoforge dovecot which uses the same patch. I haven't had any crashes either, but if you're really concerned you can always set Restart=on-failure in the systemd service (I haven't had to yet which says something, imo) FWIW I've been using the debian-provided dovecot since the release of bookworm and have not had a single crash. That said I don't use the mail crypt plugin so I can't attest to what happens with that. Ditto. Cheers, Bernardo ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
My understanding was that OX were hoping for a 6-figure sum, or, at best, a high 5-figure. Certainly as far as I am aware nothing was ever going to be on the table for 4-figures or below. If sales have changed their mind and introduced affordable options for non-large-scale deployments then that’s great. But I know at least 10 people who all had the same experience as me, $ or nothing. On Thu, Jun 27, 2024 at 09:33, Aki Tuomi via dovecot wrote: Although things do change in our sales too and things are not set in stone. There are some floor limit, but I know that megabucks are not needed to buy pro licenses. Aki > On 27/06/2024 11:03 EEST Laura Smith via dovecot wrote: > > > Perhaps try reading my last post Scott. > > Perhaps especially the bit where I said OX were offered money but they were > not interested without megabucks being spent. > > As others have said, take your cheap, unsubstatiated, attacks elsewhere chum. > > > > On Wednesday, 26 June 2024 at 21:24, Scott Q. via dovecot > wrote: > > > What's her point really ? That someone owes her up to date, > > FREE, secure software that she wants to use in a commercial setting > > ? > > > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
Although things do change in our sales too and things are not set in stone. There are some floor limit, but I know that megabucks are not needed to buy pro licenses. Aki > On 27/06/2024 11:03 EEST Laura Smith via dovecot wrote: > > > Perhaps try reading my last post Scott. > > Perhaps especially the bit where I said OX were offered money but they were > not interested without megabucks being spent. > > As others have said, take your cheap, unsubstatiated, attacks elsewhere chum. > > > > On Wednesday, 26 June 2024 at 21:24, Scott Q. via dovecot > wrote: > > > What's her point really ? That someone owes her up to date, > > FREE, secure software that she wants to use in a commercial setting > > ? > > > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
Perhaps try reading my last post Scott. Perhaps especially the bit where I said OX were offered money but they were not interested without megabucks being spent. As others have said, take your cheap, unsubstatiated, attacks elsewhere chum. On Wednesday, 26 June 2024 at 21:24, Scott Q. via dovecot wrote: > What's her point really ? That someone owes her up to date, > FREE, secure software that she wants to use in a commercial setting > ? > ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
On 27/06/24 06:48, pgnd via dovecot wrote: for anyone interested, for dovecot v2.3.14+ @ Fedora, https://src.fedoraproject.org/rpms/dovecot/blob/rawhide/f/dovecot-2.3.14-opensslv3.patch dovecot hums along nicely. i've not seen a _crash_ in _many_ moons (quick looking thru ~ 18mos of logs) ... I can report the same thing with EL9 and ghettoforge dovecot which uses the same patch. I haven't had any crashes either, but if you're really concerned you can always set Restart=on-failure in the systemd service (I haven't had to yet which says something, imo) That said I don't use the mail crypt plugin so I can't attest to what happens with that. Peter ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
Scott Q. via dovecot skrev den 2024-06-26 20:50: In your stead, I'd be happy and say thank you that a serious company is making such a huge public/free contribution. i can only say i am happy gentoo user with dovecot, but i would like to pay for dovecot-pro, but its not avail anywhere sadly just finding that free dovecot have less good support after dovecot-pro exitsing now, that part is sad but lifes continues anyway :) ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
What's her point really ? That someone owes her up to date, FREE, secure software that she wants to use in a commercial setting ? This has been debated ad nauseum. Get your expectations in check. https://news.ycombinator.com/item?id=38301710 On Wednesday, 26/06/2024 at 16:13 Simon B via dovecot wrote: With all due respect, you're welcome to disagree with Laura's point, but she does have one. So, please take your ad hominem attacks elsewhere. Regards Simon On Wed, 26 Jun 2024, 21:55 Michael Tokarev via dovecot, wrote: > Can we please stop this thread here? > > Clearly, Laura does not seek solutions, the intention seems to be shouting > at people. > > As they say, don't feed the trolls, - don't give more caises fpr shouting. > Let this thread die in peace. > > Thanks, > > /mjt > > 26.06.2024 22:26, Laura Smith via dovecot wrote: > >> Why do you care about the repo then ? Use the patch locally, > >> publish it, etc. You care about OpenSSL 3.0 compatibility right ? What > >> do you care if it's in the public tree or not. > > > > > > Because Aki has been shouting from the rooftops here that "beware, its > not that easy, Dovecot crashes with OpenSSL 3.0". > > > > Aki has seen the OpenSSL 3 code already present in Debian (and Ubuntu > and Fedora, its the same code) and supposedly that causes crashes. > > > > I'm sure the people who submitted code to the Fedora tree are much > better programmers than I am, and if their efforts are not good enough, > then, well... > > > > So, if we rephrase it, Aki is effectively telling people not to waste > their time trying to patch OpenSSL 3.0 compatibility into 2.3 > > > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org > ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
With all due respect, you're welcome to disagree with Laura's point, but she does have one. So, please take your ad hominem attacks elsewhere. Regards Simon On Wed, 26 Jun 2024, 21:55 Michael Tokarev via dovecot, wrote: > Can we please stop this thread here? > > Clearly, Laura does not seek solutions, the intention seems to be shouting > at people. > > As they say, don't feed the trolls, - don't give more caises fpr shouting. > Let this thread die in peace. > > Thanks, > > /mjt > > 26.06.2024 22:26, Laura Smith via dovecot wrote: > >> Why do you care about the repo then ? Use the patch locally, > >> publish it, etc. You care about OpenSSL 3.0 compatibility right ? What > >> do you care if it's in the public tree or not. > > > > > > Because Aki has been shouting from the rooftops here that "beware, its > not that easy, Dovecot crashes with OpenSSL 3.0". > > > > Aki has seen the OpenSSL 3 code already present in Debian (and Ubuntu > and Fedora, its the same code) and supposedly that causes crashes. > > > > I'm sure the people who submitted code to the Fedora tree are much > better programmers than I am, and if their efforts are not good enough, > then, well... > > > > So, if we rephrase it, Aki is effectively telling people not to waste > their time trying to patch OpenSSL 3.0 compatibility into 2.3 > > > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org > ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
Can we please stop this thread here? Clearly, Laura does not seek solutions, the intention seems to be shouting at people. As they say, don't feed the trolls, - don't give more caises fpr shouting. Let this thread die in peace. Thanks, /mjt 26.06.2024 22:26, Laura Smith via dovecot wrote: Why do you care about the repo then ? Use the patch locally, publish it, etc. You care about OpenSSL 3.0 compatibility right ? What do you care if it's in the public tree or not. Because Aki has been shouting from the rooftops here that "beware, its not that easy, Dovecot crashes with OpenSSL 3.0". Aki has seen the OpenSSL 3 code already present in Debian (and Ubuntu and Fedora, its the same code) and supposedly that causes crashes. I'm sure the people who submitted code to the Fedora tree are much better programmers than I am, and if their efforts are not good enough, then, well... So, if we rephrase it, Aki is effectively telling people not to waste their time trying to patch OpenSSL 3.0 compatibility into 2.3 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> Why do you care about the repo then ? Use the patch locally, > publish it, etc. You care about OpenSSL 3.0 compatibility right ? What > do you care if it's in the public tree or not. Because Aki has been shouting from the rooftops here that "beware, its not that easy, Dovecot crashes with OpenSSL 3.0". Aki has seen the OpenSSL 3 code already present in Debian (and Ubuntu and Fedora, its the same code) and supposedly that causes crashes. I'm sure the people who submitted code to the Fedora tree are much better programmers than I am, and if their efforts are not good enough, then, well... So, if we rephrase it, Aki is effectively telling people not to waste their time trying to patch OpenSSL 3.0 compatibility into 2.3 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
Why do you care about the repo then ? Use the patch locally,
publish it, etc. You care about OpenSSL 3.0 compatibility right ? What
do you care if it's in the public tree or not.
Again, no open source project has any responsibility to make sure you
can function the way you want to. It's nothing more than
entitlement.
In your stead, I'd be happy and say thank you that a serious company
is making such a huge public/free contribution.
Cheers
On Wednesday, 26/06/2024 at 14:04 Laura Smith wrote:
I suggest you descent rapidly off your high horse Scott, for two
reasons:
* I know people how have approached OpenXChange for commercial
Dovecot support. TL;DR OpenXChange are basically not interested unless
you're going to spend the big-bucks (i.e. if you're not a major
ISP/Telco or something, forget about it).
* As Aki has demonstrated with his denigration of the 2.3 patches in
the Debian tree, they are clearly not particularly interested in
contributions to make 2.3 OpenSSL 3.0 compatible.
* Perhaps most importantly, As Aki has stated, they have no intention
in making 2.3 OpenSSL 3.0 compatible ... ergo they would never merge
my patch into the tree ... ergo it will never be on the Dovecot repo
... ergo I would have wasted my time.
On Wednesday, 26 June 2024 at 14:47, Scott Q. wrote:
Hi Laura,
I understand your frustration but if you are relying on Dovecot for a
commercial solution, I believe your anger is misguided. The open
source project has no duty nor do they have to guarantee anything.
Open source means everyone can contribute, but in this case, only one
major contributor exists.
My advice for anyone facing similar frustrations is to contribute the
proper code to 2.3 to make it compatible with OpenSSL 3.0. Failing
that, you can hire competent programmers and have them contribute the
code to the public GitHub repository.
No, I don't work for OpenXChange but I do maintain a few open source
projects and am accustomed to people's expectations to get commercial
grade software...for free.
Cheers
On Wednesday, 26/06/2024 at 08:34 Laura Smith via dovecot wrote:
You are conflating OS with packages. I don't think you'll find any
OS making promises about packages.
And even if it were the case, you are expecting a community patch
based on what exactly ? OpenSSL are not releasing the code to
non-premium customers, and as Aki has repeatedly told us here, OpenSSL
3.0 is vastly different to 1.1.1, so its not like you can expect to
magically invent patch based on the OpenSSL 3.0 code (even if it may
be true for a limited number of circumstances, it won't be true for
all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version
of OpenSSL, anything else is wishful thinking based on excess
expectations, frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff wrote:
> They likely do not, but vulnerabilities reported are also patched
for the duration of the OS lifecycle. With or without premium access.
Since that's what the OS has committed to, unless they pull a redhat
and deprecate an OS before initial EOL date.
>
> Sent from Outlook for iOS
>
> From: Laura Smith
> Sent: Wednesday, June 26, 2024 2:06:44 PM
> To: Lucas Rolff
> Cc: Aki Tuomi ; Laura Smith via dovecot ; Michael
> Subject: Re: Debian Bookworm packages, please !
>
> So you're saying other operating systems magically get access to
OpenSSL premium ? I somehow doubt it.
>
>
>
>
> On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
>
> > That Debian doesn't patch their LTS releases properly like other
operating systems, should probably be brought up with the Debian
release and security teams.
> >
> > Sent from Outlook for iOS
> >
> > From: Laura Smith via dovecot
> > Sent: Wednesday, June 26, 2024 1:31:48 PM
> > To: Aki Tuomi
> > Cc: Laura Smith via dovecot ; Michael
> > Subject: Re: Debian Bookworm packages, please !
> >
> > The fundamental problem here is that this turns into a security
problem, which in 2024 is not a nice thing to have.
> >
> > Yes, theoretically I could run the previous Debian release, 11
Bullseye which is now EOL but in LTS until 2026.
> >
> > However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS
patches delivered by Debian are based on public patches, so basically
there will be no OpenSSL patches because OpenSSL moved 1.1.1 to
premium support only, *INCLUDING* security patches, as described on
their website ("It will no longer be receiving publicly available
security fixes after that date")
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
> >
> > Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian
provided 2.3 package. "be careful it's broken" is not
Re: Debian Bookworm packages, please !
I suggest you descent rapidly off your high horse Scott, for two reasons: 1. I know people how have approached OpenXChange for commercial Dovecot support. TL;DR OpenXChange are basically not interested unless you're going to spend the big-bucks (i.e. if you're not a major ISP/Telco or something, forget about it). 2. As Aki has demonstrated with his denigration of the 2.3 patches in the Debian tree, they are clearly not particularly interested in contributions to make 2.3 OpenSSL 3.0 compatible. 3. Perhaps most importantly, As Aki has stated, they have no intention in making 2.3 OpenSSL 3.0 compatible ... ergo they would never merge my patch into the tree ... ergo it will never be on the Dovecot repo ... ergo I would have wasted my time. On Wednesday, 26 June 2024 at 14:47, Scott Q. wrote: > Hi Laura, > I understand your frustration but if you are relying on Dovecot for a > commercial solution, I believe your anger is misguided. The open source > project has no duty nor do they have to guarantee anything. Open source means > everyone can contribute, but in this case, only one major contributor exists. > > My advice for anyone facing similar frustrations is to contribute the proper > code to 2.3 to make it compatible with OpenSSL 3.0. Failing that, you can > hire competent programmers and have them contribute the code to the public > GitHub repository. > > No, I don't work for OpenXChange but I do maintain a few open source projects > and am accustomed to people's expectations to get commercial grade > software...for free. > > Cheers > > On Wednesday, 26/06/2024 at 08:34 Laura Smith via dovecot wrote: > > > You are conflating OS with packages. I don't think you'll find any OS > > making promises about packages. > > > > And even if it were the case, you are expecting a community patch based on > > what exactly ? OpenSSL are not releasing the code to non-premium customers, > > and as Aki has repeatedly told us here, OpenSSL 3.0 is vastly different to > > 1.1.1, so its not like you can expect to magically invent patch based on > > the OpenSSL 3.0 code (even if it may be true for a limited number of > > circumstances, it won't be true for all 1.1.1 patches). > > > > The sensible thing to do is to run a current OS with a current version of > > OpenSSL, anything else is wishful thinking based on excess expectations, > > frankly. > > > > > > On Wednesday, 26 June 2024 at 13:11, Lucas Rolff > > wrote: > > > > > They likely do not, but vulnerabilities reported are also patched for the > > > duration of the OS lifecycle. With or without premium access. Since > > > that's what the OS has committed to, unless they pull a redhat and > > > deprecate an OS before initial EOL date. > > > > > > Sent from Outlook for iOS > > > > > > From: Laura Smith > > > Sent: Wednesday, June 26, 2024 2:06:44 PM > > > To: Lucas Rolff > > > Cc: Aki Tuomi ; Laura Smith via dovecot > > > ; Michael > > > Subject: Re: Debian Bookworm packages, please ! > > > > > > So you're saying other operating systems magically get access to OpenSSL > > > premium ? I somehow doubt it. > > > > > > > > > > > > > > > On Wednesday, 26 June 2024 at 13:01, Lucas Rolff > > > wrote: > > > > > > > That Debian doesn't patch their LTS releases properly like other > > > > operating systems, should probably be brought up with the Debian > > > > release and security teams. > > > > > > > > Sent from Outlook for iOS > > > > > > > > From: Laura Smith via dovecot > > > > Sent: Wednesday, June 26, 2024 1:31:48 PM > > > > To: Aki Tuomi > > > > Cc: Laura Smith via dovecot ; Michael > > > > > > > > Subject: Re: Debian Bookworm packages, please ! > > > > > > > > The fundamental problem here is that this turns into a security > > > > problem, which in 2024 is not a nice thing to have. > > > > > > > > Yes, theoretically I could run the previous Debian release, 11 Bullseye > > > > which is now EOL but in LTS until 2026. > > > > > > > > However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches > > > > delivered by Debian are based on public patches, so basically there > > > > will be no OpenSSL patches because OpenSSL moved 1.1.1 to premium > > > > support only, *INCLUDING* security patches, as described on thei
Re: Debian Bookworm packages, please !
+1 here too.
FOSS is FOSS community, not "FOSS service".
El 26/6/24 a les 15:47, Scott Q. via dovecot ha escrit:
Hi Laura,
I understand your frustration but if you are relying on Dovecot for a
commercial solution, I believe your anger is misguided. The open
source project has no duty nor do they have to guarantee anything.
Open source means everyone can contribute, but in this case, only one
major contributor exists.
My advice for anyone facing similar frustrations is to contribute the
proper code to 2.3 to make it compatible with OpenSSL 3.0. Failing
that, you can hire competent programmers and have them contribute the
code to the public GitHub repository.
No, I don't work for OpenXChange but I do maintain a few open source
projects and am accustomed to people's expectations to get commercial
grade software...for free.
Cheers
On Wednesday, 26/06/2024 at 08:34 Laura Smith via dovecot wrote:
You are conflating OS with packages. I don't think you'll find any
OS making promises about packages.
And even if it were the case, you are expecting a community patch
based on what exactly ? OpenSSL are not releasing the code to
non-premium customers, and as Aki has repeatedly told us here, OpenSSL
3.0 is vastly different to 1.1.1, so its not like you can expect to
magically invent patch based on the OpenSSL 3.0 code (even if it may
be true for a limited number of circumstances, it won't be true for
all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version
of OpenSSL, anything else is wishful thinking based on excess
expectations, frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff wrote:
They likely do not, but vulnerabilities reported are also patched
for the duration of the OS lifecycle. With or without premium access.
Since that's what the OS has committed to, unless they pull a redhat
and deprecate an OS before initial EOL date.
Sent from Outlook for iOS
From: Laura Smith
Sent: Wednesday, June 26, 2024 2:06:44 PM
To: Lucas Rolff
Cc: Aki Tuomi ; Laura Smith via dovecot ; Michael
Subject: Re: Debian Bookworm packages, please !
So you're saying other operating systems magically get access to
OpenSSL premium ? I somehow doubt it.
On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
That Debian doesn't patch their LTS releases properly like other
operating systems, should probably be brought up with the Debian
release and security teams.
Sent from Outlook for iOS
From: Laura Smith via dovecot
Sent: Wednesday, June 26, 2024 1:31:48 PM
To: Aki Tuomi
Cc: Laura Smith via dovecot ; Michael
Subject: Re: Debian Bookworm packages, please !
The fundamental problem here is that this turns into a security
problem, which in 2024 is not a nice thing to have.
Yes, theoretically I could run the previous Debian release, 11
Bullseye which is now EOL but in LTS until 2026.
However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS
patches delivered by Debian are based on public patches, so basically
there will be no OpenSSL patches because OpenSSL moved 1.1.1 to
premium support only, *INCLUDING* security patches, as described on
their website ("It will no longer be receiving publicly available
security fixes after that date")
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian
provided 2.3 package. "be careful it's broken" is not a warning a good
sysadmin takes lightly.
Meanwhile, if we're lucky, we might get 2.4 this side of Christmas
2024.
Its all a bit of a mess. Its all a bit worrying.
Meanwhile alternatives are few and far between, and I suspect
Dovecot knows that ! The Dovecot community are left between the
proverbial rock and a hard place.
Cyrus is now dependent on the commercial goodwill of FastMail,
which brings thoughts of comparisons with Dovecot and OpenXChange.
Stalwart, whilst extraordinarily promising, needs another year or
so of development to reach v1 and mature the code.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
--
Narcis Garcia
__
I'm using this dedicated address because personal addresses aren't
masked enough at this mail public archive. Public archive administrator
should remove and omit any @, dot and mailto combinations against
automated addresses collectors.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
Hi Laura,
I understand your frustration but if you are relying on Dovecot for a
commercial solution, I believe your anger is misguided. The open
source project has no duty nor do they have to guarantee anything.
Open source means everyone can contribute, but in this case, only one
major contributor exists.
My advice for anyone facing similar frustrations is to contribute the
proper code to 2.3 to make it compatible with OpenSSL 3.0. Failing
that, you can hire competent programmers and have them contribute the
code to the public GitHub repository.
No, I don't work for OpenXChange but I do maintain a few open source
projects and am accustomed to people's expectations to get commercial
grade software...for free.
Cheers
On Wednesday, 26/06/2024 at 08:34 Laura Smith via dovecot wrote:
You are conflating OS with packages. I don't think you'll find any
OS making promises about packages.
And even if it were the case, you are expecting a community patch
based on what exactly ? OpenSSL are not releasing the code to
non-premium customers, and as Aki has repeatedly told us here, OpenSSL
3.0 is vastly different to 1.1.1, so its not like you can expect to
magically invent patch based on the OpenSSL 3.0 code (even if it may
be true for a limited number of circumstances, it won't be true for
all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version
of OpenSSL, anything else is wishful thinking based on excess
expectations, frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff wrote:
> They likely do not, but vulnerabilities reported are also patched
for the duration of the OS lifecycle. With or without premium access.
Since that's what the OS has committed to, unless they pull a redhat
and deprecate an OS before initial EOL date.
>
> Sent from Outlook for iOS
>
> From: Laura Smith
> Sent: Wednesday, June 26, 2024 2:06:44 PM
> To: Lucas Rolff
> Cc: Aki Tuomi ; Laura Smith via dovecot ; Michael
> Subject: Re: Debian Bookworm packages, please !
>
> So you're saying other operating systems magically get access to
OpenSSL premium ? I somehow doubt it.
>
>
>
>
> On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
>
> > That Debian doesn't patch their LTS releases properly like other
operating systems, should probably be brought up with the Debian
release and security teams.
> >
> > Sent from Outlook for iOS
> >
> > From: Laura Smith via dovecot
> > Sent: Wednesday, June 26, 2024 1:31:48 PM
> > To: Aki Tuomi
> > Cc: Laura Smith via dovecot ; Michael
> > Subject: Re: Debian Bookworm packages, please !
> >
> > The fundamental problem here is that this turns into a security
problem, which in 2024 is not a nice thing to have.
> >
> > Yes, theoretically I could run the previous Debian release, 11
Bullseye which is now EOL but in LTS until 2026.
> >
> > However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS
patches delivered by Debian are based on public patches, so basically
there will be no OpenSSL patches because OpenSSL moved 1.1.1 to
premium support only, *INCLUDING* security patches, as described on
their website ("It will no longer be receiving publicly available
security fixes after that date")
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
> >
> > Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian
provided 2.3 package. "be careful it's broken" is not a warning a good
sysadmin takes lightly.
> >
> > Meanwhile, if we're lucky, we might get 2.4 this side of Christmas
2024.
> >
> > Its all a bit of a mess. Its all a bit worrying.
> >
> > Meanwhile alternatives are few and far between, and I suspect
Dovecot knows that ! The Dovecot community are left between the
proverbial rock and a hard place.
> >
> > Cyrus is now dependent on the commercial goodwill of FastMail,
which brings thoughts of comparisons with Dovecot and OpenXChange.
> >
> > Stalwart, whilst extraordinarily promising, needs another year or
so of development to reach v1 and mature the code.
> > ___
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
+1
El 26/6/24 a les 14:34, Laura Smith via dovecot ha escrit:
You are conflating OS with packages. I don't think you'll find any OS making
promises about packages.
And even if it were the case, you are expecting a community patch based on what
exactly ? OpenSSL are not releasing the code to non-premium customers, and as
Aki has repeatedly told us here, OpenSSL 3.0 is vastly different to 1.1.1, so
its not like you can expect to magically invent patch based on the OpenSSL 3.0
code (even if it may be true for a limited number of circumstances, it won't be
true for all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version of
OpenSSL, anything else is wishful thinking based on excess expectations,
frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff wrote:
They likely do not, but vulnerabilities reported are also patched for the
duration of the OS lifecycle. With or without premium access. Since that's what
the OS has committed to, unless they pull a redhat and deprecate an OS before
initial EOL date.
Sent from Outlook for iOS
From: Laura Smith
Sent: Wednesday, June 26, 2024 2:06:44 PM
To: Lucas Rolff
Cc: Aki Tuomi ; Laura Smith via dovecot
; Michael
Subject: Re: Debian Bookworm packages, please !
So you're saying other operating systems magically get access to OpenSSL
premium ? I somehow doubt it.
On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
That Debian doesn't patch their LTS releases properly like other operating
systems, should probably be brought up with the Debian release and security
teams.
Sent from Outlook for iOS
From: Laura Smith via dovecot
Sent: Wednesday, June 26, 2024 1:31:48 PM
To: Aki Tuomi
Cc: Laura Smith via dovecot ; Michael
Subject: Re: Debian Bookworm packages, please !
The fundamental problem here is that this turns into a security problem, which
in 2024 is not a nice thing to have.
Yes, theoretically I could run the previous Debian release, 11 Bullseye which
is now EOL but in LTS until 2026.
However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches delivered by
Debian are based on public patches, so basically there will be no OpenSSL patches because
OpenSSL moved 1.1.1 to premium support only, *INCLUDING* security patches, as described
on their website ("It will no longer be receiving publicly available security fixes
after that date") https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3 package.
"be careful it's broken" is not a warning a good sysadmin takes lightly.
Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
Its all a bit of a mess. Its all a bit worrying.
Meanwhile alternatives are few and far between, and I suspect Dovecot knows
that ! The Dovecot community are left between the proverbial rock and a hard
place.
Cyrus is now dependent on the commercial goodwill of FastMail, which brings
thoughts of comparisons with Dovecot and OpenXChange.
Stalwart, whilst extraordinarily promising, needs another year or so of
development to reach v1 and mature the code.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
--
Narcis Garcia
__
I'm using this dedicated address because personal addresses aren't
masked enough at this mail public archive. Public archive administrator
should remove and omit any @, dot and mailto combinations against
automated addresses collectors.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
You are conflating OS with packages. I don't think you'll find any OS making
promises about packages.
And even if it were the case, you are expecting a community patch based on what
exactly ? OpenSSL are not releasing the code to non-premium customers, and as
Aki has repeatedly told us here, OpenSSL 3.0 is vastly different to 1.1.1, so
its not like you can expect to magically invent patch based on the OpenSSL 3.0
code (even if it may be true for a limited number of circumstances, it won't be
true for all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version of
OpenSSL, anything else is wishful thinking based on excess expectations,
frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff wrote:
> They likely do not, but vulnerabilities reported are also patched for the
> duration of the OS lifecycle. With or without premium access. Since that's
> what the OS has committed to, unless they pull a redhat and deprecate an OS
> before initial EOL date.
>
> Sent from Outlook for iOS
>
> From: Laura Smith
> Sent: Wednesday, June 26, 2024 2:06:44 PM
> To: Lucas Rolff
> Cc: Aki Tuomi ; Laura Smith via dovecot
> ; Michael
> Subject: Re: Debian Bookworm packages, please !
>
> So you're saying other operating systems magically get access to OpenSSL
> premium ? I somehow doubt it.
>
>
>
>
> On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
>
> > That Debian doesn't patch their LTS releases properly like other operating
> > systems, should probably be brought up with the Debian release and security
> > teams.
> >
> > Sent from Outlook for iOS
> >
> > From: Laura Smith via dovecot
> > Sent: Wednesday, June 26, 2024 1:31:48 PM
> > To: Aki Tuomi
> > Cc: Laura Smith via dovecot ; Michael
> >
> > Subject: Re: Debian Bookworm packages, please !
> >
> > The fundamental problem here is that this turns into a security problem,
> > which in 2024 is not a nice thing to have.
> >
> > Yes, theoretically I could run the previous Debian release, 11 Bullseye
> > which is now EOL but in LTS until 2026.
> >
> > However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
> > delivered by Debian are based on public patches, so basically there will be
> > no OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
> > *INCLUDING* security patches, as described on their website ("It will no
> > longer be receiving publicly available security fixes after that date")
> > https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
> >
> > Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
> > package. "be careful it's broken" is not a warning a good sysadmin takes
> > lightly.
> >
> > Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
> >
> > Its all a bit of a mess. Its all a bit worrying.
> >
> > Meanwhile alternatives are few and far between, and I suspect Dovecot knows
> > that ! The Dovecot community are left between the proverbial rock and a
> > hard place.
> >
> > Cyrus is now dependent on the commercial goodwill of FastMail, which brings
> > thoughts of comparisons with Dovecot and OpenXChange.
> >
> > Stalwart, whilst extraordinarily promising, needs another year or so of
> > development to reach v1 and mature the code.
> > ___
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
To support my prior comment, FreeBSD are quite clear about it (see below
explicit statement on one of their previous Security Advisories) and I expect
it to be the same with Debian and any other FOSS operating system.
Security Advisory FreeBSD-SA-20:33.openssl CVE-2020-1971: "However, the OpenSSL
project is only giving patches for that version to premium support contract
holders. The FreeBSD project does not have access to these patches"
On Wednesday, 26 June 2024 at 13:01, Lucas Rolff via dovecot
wrote:
> That Debian doesn't patch their LTS releases properly like other operating
> systems, should probably be brought up with the Debian release and security
> teams.
>
> Sent from Outlook for iOShttps://aka.ms/o0ukef
>
>
> From: Laura Smith via dovecot dovecot@dovecot.org
>
> Sent: Wednesday, June 26, 2024 1:31:48 PM
> To: Aki Tuomi aki.tu...@open-xchange.com
>
> Cc: Laura Smith via dovecot dovecot@dovecot.org; Michael m...@hemathor.de
>
> Subject: Re: Debian Bookworm packages, please !
>
> The fundamental problem here is that this turns into a security problem,
> which in 2024 is not a nice thing to have.
>
> Yes, theoretically I could run the previous Debian release, 11 Bullseye which
> is now EOL but in LTS until 2026.
>
> However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
> delivered by Debian are based on public patches, so basically there will be
> no OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
> INCLUDING security patches, as described on their website ("It will no longer
> be receiving publicly available security fixes after that date")
> https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
>
> Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
> package. "be careful it's broken" is not a warning a good sysadmin takes
> lightly.
>
> Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
>
> Its all a bit of a mess. Its all a bit worrying.
>
> Meanwhile alternatives are few and far between, and I suspect Dovecot knows
> that ! The Dovecot community are left between the proverbial rock and a hard
> place.
>
> Cyrus is now dependent on the commercial goodwill of FastMail, which brings
> thoughts of comparisons with Dovecot and OpenXChange.
>
> Stalwart, whilst extraordinarily promising, needs another year or so of
> development to reach v1 and mature the code.
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
They likely do not, but vulnerabilities reported are also patched for the
duration of the OS lifecycle. With or without premium access. Since that's what
the OS has committed to, unless they pull a redhat and deprecate an OS before
initial EOL date.
Sent from Outlook for iOS<https://aka.ms/o0ukef>
From: Laura Smith
Sent: Wednesday, June 26, 2024 2:06:44 PM
To: Lucas Rolff
Cc: Aki Tuomi ; Laura Smith via dovecot
; Michael
Subject: Re: Debian Bookworm packages, please !
So you're saying other operating systems magically get access to OpenSSL
premium ? I somehow doubt it.
On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
That Debian doesn't patch their LTS releases properly like other operating
systems, should probably be brought up with the Debian release and security
teams.
Sent from Outlook for iOS<https://aka.ms/o0ukef>
From: Laura Smith via dovecot
Sent: Wednesday, June 26, 2024 1:31:48 PM
To: Aki Tuomi
Cc: Laura Smith via dovecot ; Michael
Subject: Re: Debian Bookworm packages, please !
The fundamental problem here is that this turns into a security problem, which
in 2024 is not a nice thing to have.
Yes, theoretically I could run the previous Debian release, 11 Bullseye which
is now EOL but in LTS until 2026.
However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
delivered by Debian are based on public patches, so basically there will be no
OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
*INCLUDING* security patches, as described on their website ("It will no longer
be receiving publicly available security fixes after that date")
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
package. "be careful it's broken" is not a warning a good sysadmin takes
lightly.
Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
Its all a bit of a mess. Its all a bit worrying.
Meanwhile alternatives are few and far between, and I suspect Dovecot knows
that ! The Dovecot community are left between the proverbial rock and a hard
place.
Cyrus is now dependent on the commercial goodwill of FastMail, which brings
thoughts of comparisons with Dovecot and OpenXChange.
Stalwart, whilst extraordinarily promising, needs another year or so of
development to reach v1 and mature the code.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
So you're saying other operating systems magically get access to OpenSSL
premium ? I somehow doubt it.
On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
> That Debian doesn't patch their LTS releases properly like other operating
> systems, should probably be brought up with the Debian release and security
> teams.
>
> Sent from Outlook for iOS
>
> From: Laura Smith via dovecot
> Sent: Wednesday, June 26, 2024 1:31:48 PM
> To: Aki Tuomi
> Cc: Laura Smith via dovecot ; Michael
> Subject: Re: Debian Bookworm packages, please !
>
> The fundamental problem here is that this turns into a security problem,
> which in 2024 is not a nice thing to have.
>
> Yes, theoretically I could run the previous Debian release, 11 Bullseye which
> is now EOL but in LTS until 2026.
>
> However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
> delivered by Debian are based on public patches, so basically there will be
> no OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
> *INCLUDING* security patches, as described on their website ("It will no
> longer be receiving publicly available security fixes after that date")
> https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
>
> Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
> package. "be careful it's broken" is not a warning a good sysadmin takes
> lightly.
>
> Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
>
> Its all a bit of a mess. Its all a bit worrying.
>
> Meanwhile alternatives are few and far between, and I suspect Dovecot knows
> that ! The Dovecot community are left between the proverbial rock and a
> hard place.
>
> Cyrus is now dependent on the commercial goodwill of FastMail, which brings
> thoughts of comparisons with Dovecot and OpenXChange.
>
> Stalwart, whilst extraordinarily promising, needs another year or so of
> development to reach v1 and mature the code.
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
That Debian doesn't patch their LTS releases properly like other operating
systems, should probably be brought up with the Debian release and security
teams.
Sent from Outlook for iOS<https://aka.ms/o0ukef>
From: Laura Smith via dovecot
Sent: Wednesday, June 26, 2024 1:31:48 PM
To: Aki Tuomi
Cc: Laura Smith via dovecot ; Michael
Subject: Re: Debian Bookworm packages, please !
The fundamental problem here is that this turns into a security problem, which
in 2024 is not a nice thing to have.
Yes, theoretically I could run the previous Debian release, 11 Bullseye which
is now EOL but in LTS until 2026.
However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
delivered by Debian are based on public patches, so basically there will be no
OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
*INCLUDING* security patches, as described on their website ("It will no longer
be receiving publicly available security fixes after that date")
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
package. "be careful it's broken" is not a warning a good sysadmin takes
lightly.
Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
Its all a bit of a mess. Its all a bit worrying.
Meanwhile alternatives are few and far between, and I suspect Dovecot knows
that ! The Dovecot community are left between the proverbial rock and a hard
place.
Cyrus is now dependent on the commercial goodwill of FastMail, which brings
thoughts of comparisons with Dovecot and OpenXChange.
Stalwart, whilst extraordinarily promising, needs another year or so of
development to reach v1 and mature the code.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
The fundamental problem here is that this turns into a security problem, which
in 2024 is not a nice thing to have.
Yes, theoretically I could run the previous Debian release, 11 Bullseye which
is now EOL but in LTS until 2026.
However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
delivered by Debian are based on public patches, so basically there will be no
OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
*INCLUDING* security patches, as described on their website ("It will no longer
be receiving publicly available security fixes after that date")
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
package. "be careful it's broken" is not a warning a good sysadmin takes
lightly.
Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
Its all a bit of a mess. Its all a bit worrying.
Meanwhile alternatives are few and far between, and I suspect Dovecot knows
that ! The Dovecot community are left between the proverbial rock and a hard
place.
Cyrus is now dependent on the commercial goodwill of FastMail, which brings
thoughts of comparisons with Dovecot and OpenXChange.
Stalwart, whilst extraordinarily promising, needs another year or so of
development to reach v1 and mature the code.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> On 26/06/2024 11:42 EEST Laura Smith via dovecot wrote: > > > > > could you please elaborate on this? are there any security issues with > > > using the debian version? what are the problems you are implicating with > > > your above statement, that it's 'not fully working either'? > > > > > > greetings... > > > > > > It can sometimes crash. > > > > Aki > > > Does Dovecot even care about its open-source community any more ? We know > you've opted to focus on your commercial efforts, that's fine, that's you > prerogative. But at the moment it is feeling like "go closed source or show > some more feeling towards the open-source side". > > I mean seriously, "it can sometimes crash", is that all ? > > Does it mean people should not use the Debian packages full stop ? > > Does it mean people can use the Debian packages but not certain > configurations ? > > "it can sometimes crash" is basically the same thing as not bothering to post > anything at all. shrug. You can find said crashes on this very mailing list if you'd bother to search. Also I know that when I tested it last time, mail crypt plugin didn't work, based on our unit & CI tests. And the patch was not made by us. It was made by someone else, so you are now expecting me to fully debug & investigate & report all problems in it to the originator? And no, we are not going closed source. If you are in a hurry to use 2.4, you can head out to https://github.com/dovecot/core, clone & build a 2.4 for you as soon as you want. It should work well, but it's not release QA'ed yet. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> > could you please elaborate on this? are there any security issues with > > using the debian version? what are the problems you are implicating with > > your above statement, that it's 'not fully working either'? > > > > greetings... > > > It can sometimes crash. > > Aki Does Dovecot even care about its open-source community any more ? We know you've opted to focus on your commercial efforts, that's fine, that's you prerogative. But at the moment it is feeling like "go closed source or show some more feeling towards the open-source side". I mean seriously, "it can sometimes crash", is that all ? Does it mean people should not use the Debian packages full stop ? Does it mean people can use the Debian packages but not certain configurations ? "it can sometimes crash" is basically the same thing as not bothering to post anything at all. shrug. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> On 26/06/2024 11:17 EEST Michael via dovecot wrote: > > > On Tuesday, June 25, 2024 5:08:15 PM CEST, Aki Tuomi via dovecot wrote: > > We can already see that the Debian/RedHat patched 2.3 which is > > offered is broken because there is more than just "making it > > compile" with things like OpenSSL3, and yes, I can appreciate > > that it's not fully broken, but it's not fully working either. > > could you please elaborate on this? are there any security issues with > using the debian version? what are the problems you are implicating with > your above statement, that it's 'not fully working either'? > > greetings... It can sometimes crash. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
On Tue, Jun 25, 2024 at 06:08:15PM +0300, Aki Tuomi via dovecot wrote: > We can already see that the Debian/RedHat patched 2.3 which is offered is > broken because there is more than just "making it compile" with things like > OpenSSL3, and yes, I can appreciate that it's not fully broken, but it's not > fully working either. Are there any bug reports in Debian you could refer to, please? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
On Tuesday, June 25, 2024 5:08:15 PM CEST, Aki Tuomi via dovecot wrote: We can already see that the Debian/RedHat patched 2.3 which is offered is broken because there is more than just "making it compile" with things like OpenSSL3, and yes, I can appreciate that it's not fully broken, but it's not fully working either. could you please elaborate on this? are there any security issues with using the debian version? what are the problems you are implicating with your above statement, that it's 'not fully working either'? greetings... ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> > We can already see that the Debian/RedHat patched 2.3 which is offered is > broken because there is more than just "making it compile" with things like > OpenSSL3, and yes, I can appreciate that it's not fully broken, but it's not > fully working either. Yeah, that's sort of what's holding me back from just blindly installing the Debian distro package. Whilst I'm no expert, I did spot some OpenSSL3 mentions looking briefly through the Debian bug tracker. Do you have any opinion on the FreeBSD dovecot ? I'd rather stick with Debian but having a working mailserver on a current version of an OS is a somewhat higher importance. If Stalwart was more mature than it currently is, I would have moved over to that already. Sadly that will have to wait for the next round of server refreshes in a few years time. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
For what it's worth, I installed openssl 1.1.1w in a custom dir, compiled dovecot 2.3.21 against it and it works like a charm against our test suite and production load. On Tuesday, 25/06/2024 at 11:08 Aki Tuomi via dovecot wrote: > On 25/06/2024 17:26 EEST Laura Smith via dovecot wrote: > > > On Tuesday, 25 June 2024 at 15:06, Aki Tuomi via dovecot wrote: > > > > On 25/06/2024 16:58 EEST Laura Smith via dovecot dovecot@dovecot.org wrote: > > > > > > Debian Bookworm (12) was released June 2023. > > > > > > It is therefore somewhat disappointing to see no Bookworm packages in https://repo.dovecot.org/ce-2.3-latest/debian/ > > > > > > We are going to add support for Debian Bookworm to Dovecot 2.4 version. > > > > > > Is there any more concrete news on the mysterious 2.4 ? I found an old post from you from 2023 which said "soon" ? I am aware that we are behind on what we originally estimated to be the release schedule. However, I would rather we release something that is good and tested, instead of just dumping something that "might work". We can already see that the Debian/RedHat patched 2.3 which is offered is broken because there is more than just "making it compile" with things like OpenSSL3, and yes, I can appreciate that it's not fully broken, but it's not fully working either. We are working hard to get it out as soon as possible, and hopefully that soon will be during the remainder of the year, very much preferring it to be sooner than later personally. Unfortunately things sometimes just take more time than one wants. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> On 25/06/2024 17:26 EEST Laura Smith via dovecot wrote: > > > On Tuesday, 25 June 2024 at 15:06, Aki Tuomi via dovecot > wrote: > > > > On 25/06/2024 16:58 EEST Laura Smith via dovecot dovecot@dovecot.org > > > wrote: > > > > > > Debian Bookworm (12) was released June 2023. > > > > > > It is therefore somewhat disappointing to see no Bookworm packages in > > > https://repo.dovecot.org/ce-2.3-latest/debian/ > > > > > > We are going to add support for Debian Bookworm to Dovecot 2.4 version. > > > > > > Is there any more concrete news on the mysterious 2.4 ? I found an old post > from you from 2023 which said "soon" ? I am aware that we are behind on what we originally estimated to be the release schedule. However, I would rather we release something that is good and tested, instead of just dumping something that "might work". We can already see that the Debian/RedHat patched 2.3 which is offered is broken because there is more than just "making it compile" with things like OpenSSL3, and yes, I can appreciate that it's not fully broken, but it's not fully working either. We are working hard to get it out as soon as possible, and hopefully that soon will be during the remainder of the year, very much preferring it to be sooner than later personally. Unfortunately things sometimes just take more time than one wants. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
On Tuesday, 25 June 2024 at 15:06, Aki Tuomi via dovecot wrote: > > On 25/06/2024 16:58 EEST Laura Smith via dovecot dovecot@dovecot.org wrote: > > > > Debian Bookworm (12) was released June 2023. > > > > It is therefore somewhat disappointing to see no Bookworm packages in > > https://repo.dovecot.org/ce-2.3-latest/debian/ > > > We are going to add support for Debian Bookworm to Dovecot 2.4 version. > > Is there any more concrete news on the mysterious 2.4 ? I found an old post from you from 2023 which said "soon" ? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
On Tue, Jun 25, 2024 at 01:58:21PM +, Laura Smith via dovecot wrote: > Debian Bookworm (12) was released June 2023. > > It is therefore somewhat disappointing to see no Bookworm packages in > https://repo.dovecot.org/ce-2.3-latest/debian/ Debian itself offers pakages of dovecot 2.3.19. https://tracker.debian.org/pkg/dovecot Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> On 25/06/2024 16:58 EEST Laura Smith via dovecot wrote: > > > Debian Bookworm (12) was released June 2023. > > It is therefore somewhat disappointing to see no Bookworm packages in > https://repo.dovecot.org/ce-2.3-latest/debian/ We are going to add support for Debian Bookworm to Dovecot 2.4 version. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
