Re: procmail question
On Sat, Jan 27, 2024 at 02:46:59AM +0100, Wolfgang Pfeiffer via users wrote: On Fri, Jan 26, 2024 at 09:08:44AM -0600, Thomas Cameron wrote: I'm reading articles saying procmail is dangerous and unmaintained (https://anarc.at/blog/2022-03-02-procmail-considered-harmful/). Quote from the page above - seems to be old and, to put it mildly, wrong: Not sure if it was right to call it "wrong" above, but at least strange the article seems to be as the authour at the end of the piece states that at the time of writing procmail was already back on being worked on. "procmail is unmaintained. The "Final release", according to Wikipedia, dates back to September 10, 2001 (3.22)" -- Wolfgang -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: procmail question
Thomas Cameron: >> I'm reading articles saying procmail is dangerous and unmaintained >> (https://anarc.at/blog/2022-03-02-procmail-considered-harmful/). Wolfgang Pfeiffer: > Quote from the page above - seems to be old and, to put it mildly, > wrong: > "procmail is unmaintained. The "Final release", according to > Wikipedia, dates back to September 10, 2001 (3.22)" > > Status today according to > https://en.wikipedia.org/wiki/Procmail > Excerpt: > "The software remained unmaintained for several years, and was > believed to be defunct.[3] In 2020 May, Stephen van den Berg resumed > maintenance again.[4] The program has since seen multiple releases and > bug-fixes." I have to ask: Was it really any worse than the alternatives at the time? (And, yes, I did read the blog article. It seems an inflated ego opinion piece, like you find in magazine editorials, designed to stir up a hornets nest more than do anything else.) Everything has bugs, many of which authors (for better or worse) consider to be inconsequential. And just try getting some bugs fixed with some projects, you hit a brickwall of bad attitude. I have many unmaintained things around my house, because they simply work fine as they are. And I know that if I were to tinker with them, I'd cause breakage in different ways. -- uname -rsvp Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: procmail question
On Fri, Jan 26, 2024 at 09:08:44AM -0600, Thomas Cameron wrote: I'm reading articles saying procmail is dangerous and unmaintained (https://anarc.at/blog/2022-03-02-procmail-considered-harmful/). Quote from the page above - seems to be old and, to put it mildly, wrong: "procmail is unmaintained. The "Final release", according to Wikipedia, dates back to September 10, 2001 (3.22)" Status today according to https://en.wikipedia.org/wiki/Procmail Excerpt: "The software remained unmaintained for several years, and was believed to be defunct.[3] In 2020 May, Stephen van den Berg resumed maintenance again.[4] The program has since seen multiple releases and bug-fixes." Here seems to be the current maintainer site: https://github.com/BuGlessRB/procmail And see the HISTORY file in that dir ... And even the Openbsd guys, with their interest in "proactive security", have it in their latest release: https://cdn.openbsd.org/pub/OpenBSD/7.4/packages/amd64/ Welcome! ... ;) -- Wolfgang -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: procmail question
On 1/26/24 14:39, Samuel Sieb wrote: On 1/26/24 09:07, Jon Ingason via users wrote: Did following: $ dnf search procmail Fedora 39 - x86_64 9.3 MB/s | 89 MB = Namn Exakt matchad: procmail procmail.x86_64 : Mail processing program === Namn & Sammanfattning Matchad: procmail perl-Mail-Procmail.noarch : Procmail-like facility for creating easy mail : filters So procmail indeed is still maintained. That just means it's still being packaged by someone for Fedora. That doesn't provide any information about whether the program's source code is being maintained upstream. Indeed, the upstream source at https://github.com/BuGlessRB/procmail has not seen any activity for the last 2 years. I guess I had better hang onto that source. My email gets some fairly messy processing that is very dependent on procmail. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: procmail question
On 1/26/24 09:07, Jon Ingason via users wrote: Did following: $ dnf search procmail Fedora 39 - x86_64 9.3 MB/s | 89 MB = Namn Exakt matchad: procmail procmail.x86_64 : Mail processing program === Namn & Sammanfattning Matchad: procmail perl-Mail-Procmail.noarch : Procmail-like facility for creating easy mail : filters So procmail indeed is still maintained. That just means it's still being packaged by someone for Fedora. That doesn't provide any information about whether the program's source code is being maintained upstream. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: procmail question
Den 2024-01-26 kl. 17:26, skrev Thomas Cameron: On 1/26/24 10:10, Patrick O'Callaghan wrote: I used procmail for years and never had an issue with it. However I don't like unmaintained software so removed it when support was dropped. The problem with Sieve (and several other options) is that they're server-side, so if your server doesn't support them, and you don't want to run your own local server (plus e.g. fetchmail) you're dependent on what your mail provider allows. I run the servers, so I can install whatever I want, but... I chatted with a couple of folks on IRC, including someone who knows the guy who wrote that article. Turns out that procmail really IS still being maintained, both by vendors like Red Hat, Canonical, Suse, etc., and independent developers. There's even talk about forming a new mailing list for those developers. It's definitely being maintained. After digging in a bit, I'm going to stick with procmail since I already know it. If anyone has any opinions to the contrary, I'm happy to be educated, though! Did following: $ dnf search procmail Fedora 39 - x86_64 9.3 MB/s | 89 MB = Namn Exakt matchad: procmail procmail.x86_64 : Mail processing program === Namn & Sammanfattning Matchad: procmail perl-Mail-Procmail.noarch : Procmail-like facility for creating easy mail : filters So procmail indeed is still maintained. -- Regards Jon Ingason -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: procmail question
On 1/26/24 10:10, Patrick O'Callaghan wrote: I used procmail for years and never had an issue with it. However I don't like unmaintained software so removed it when support was dropped. The problem with Sieve (and several other options) is that they're server-side, so if your server doesn't support them, and you don't want to run your own local server (plus e.g. fetchmail) you're dependent on what your mail provider allows. I run the servers, so I can install whatever I want, but... I chatted with a couple of folks on IRC, including someone who knows the guy who wrote that article. Turns out that procmail really IS still being maintained, both by vendors like Red Hat, Canonical, Suse, etc., and independent developers. There's even talk about forming a new mailing list for those developers. It's definitely being maintained. After digging in a bit, I'm going to stick with procmail since I already know it. If anyone has any opinions to the contrary, I'm happy to be educated, though! -- Thanks! Thomas -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: procmail question
On Fri, 2024-01-26 at 09:08 -0600, Thomas Cameron wrote: > I'm reading articles saying procmail is dangerous and unmaintained > (https://anarc.at/blog/2022-03-02-procmail-considered-harmful/). > > I get why a setuid root:mail binary is potentially dangerous, but > procmail has been in use for decades and I don't think I've ever > heard > of it being used for an exploit except for way back in 2017 and > 2014 > ( > https://www.cvedetails.com/vulnerability-list/vendor_id-225/Procmail.h > tml). > > > Anyone got any recommendations? I've used procmail for decades. I'm > pretty familiar with it. I *can* migrate to sieve, but procmail Just > Works(TM), so I'm hesitant. > > Is the risk overblown? We're using Postfix and procmail and it seems > to > be really solid. I am not really looking forward to migrating to > sieve, > so I'd rather just stick with what I know, you know? > > What are your thoughts? I used procmail for years and never had an issue with it. However I don't like unmaintained software so removed it when support was dropped. The problem with Sieve (and several other options) is that they're server-side, so if your server doesn't support them, and you don't want to run your own local server (plus e.g. fetchmail) you're dependent on what your mail provider allows. poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
procmail question
I'm reading articles saying procmail is dangerous and unmaintained (https://anarc.at/blog/2022-03-02-procmail-considered-harmful/). I get why a setuid root:mail binary is potentially dangerous, but procmail has been in use for decades and I don't think I've ever heard of it being used for an exploit except for way back in 2017 and 2014 (https://www.cvedetails.com/vulnerability-list/vendor_id-225/Procmail.html). Anyone got any recommendations? I've used procmail for decades. I'm pretty familiar with it. I *can* migrate to sieve, but procmail Just Works(TM), so I'm hesitant. Is the risk overblown? We're using Postfix and procmail and it seems to be really solid. I am not really looking forward to migrating to sieve, so I'd rather just stick with what I know, you know? What are your thoughts? -- Thomas -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue