On Wed, 22 Mar 2006 18:03:56 -0600 Robert Thompson <[EMAIL PROTECTED]> wrote:
> I'm actually pretty happy with the bug reporting process so far, but > not *familiar* with it... I've been a Debian user for a very long > time and never needed to learn how to report a bug until now, which > indicates why I never recommend anything else =) Thanks, I take that as a compliment (on behalf of the project) :-) > Jonas Smedegaard wrote: > > Well, I interpret such email as *delayed*, not lost. > > I sincerely believe that even with this bug it is still relevant to > > distribute the package. > > Absolutely. Had I known that such was the case, I would have picked a > better classification. I am not aware of the subtleties of the > system, and as far as I know, the problem is with that particular > combination of service, server-side ssl library version, and > client-side ssl library version. uw-imapd may be kind of stupid, but > it is very appropriate for small sites or ones with migration issues > involving large numbers of legacy mailboxes. Ok. It is a common misunderstanding to tag severity too high (a bug can be fatal for a single scenario without being so to the project in general). Just sometimes the bug reporter insists on the initial severity, that's why I made an effort on argumenting my change. To be honest, I do not prefer UW-imap myself. I'd recommend you take a look at my favorite, dovecot. It seems our use cases are pretty similar (one of my clients is the Kaospilot University - some hundred Macintosh users and a few Windows desktops). Only thing I know of unique to UW-imap is its "mbox" trick of auto-moving email off of the spool file. I have a script for transitioning from UW-imap to Maildir-based dovecot taking care of that mbox thingy too, if interested (I should probably pass it on to the dovecot maintainer too for inclusion as an example script). > >> The listed workaround to fix the TLS problem reduces the crypto > >> security to an absurdly low level. > > > > What listed workaround? > > The bug I referenced in the original report involving the newer (and > since replaced) openssl package in unstable: somewhere in that thread > it was reported that modifying the client's preferred order of SSL > types and encryptions so that sslv3 wouldn't be picked would bypass > the problem.I confirmed that that workaround works here too (maybe > indicating that the problem is somewhere in the same codepath?), and > as reported in that thread, it also impacts the chosen crypto level > not just the ssl version. Ah, ok. It seemed to me that continued discussion in that bugreport (perhaps after you read it?) limited the fix to still allow some strong encryption - but I might be wrong (I am no crypto expert). > >> libssl got upgraded to 0.9.7e-3sarge1 on November 21 > >> and uw-imapd got updated to 7:2002edebian1-11sarge1 on October 14, > >> so I don't think that was it. > > > > And the services (or maybe the whole machine) is frequently > > restarted? > > Very infrequently, although I am pretty sure that I manually > restarted the service after both updates. Ok. Just making sure... > >> The problem appeared for OSX users immediately after they shipped > >> the SSL fix, and for Thunderbird users immediately after they > >> shipped the SSL fix. I don't have references to the changelogs > >> handy, but I did check the times and they match: For all users > >> where I can get data, the complaint happened very shortly after > >> they updated their mail client. > > > > What SSL fix? Sorry if I am missing something obvious. > > Mozilla.org reported a fairly urgent ssl security fix, and apple > reported fixing an ssl bug that affected mail.app. I believe they are > talking about the same change that led to the unstable-tree openssl > bug report. Ah, ok. I didn't know that. > I accidentally discovered that SSL and TLS aren't affected > identically, which helps on Mozilla but not Apple Mail (End users not > expected to know such a subtle difference, so no distinction made) Do you say that Apple Mail do not support SSL instead of TLS? Maybe this helps: http://help.riseup.net/mail/mail-clients/apple-mail/imap/ > >> Bottom line: for us, the problem is mitigated by switching to SSL. > > > > I am confused. Earlier you wrote that "Some time in the recent past, > > SSL connections have mostly stopped working" - did you then mean TLS > > connection? > > Yes, I'd been working in apple mail for several hours when I wrote > that, and as a result my terminology had gotten sloppy. Ah, ok :-) So currently your system is working - also for Apple Mail clients - by avoiding TLS and using SSL instead? > > P.S. > > > > Please consider reposting your entire message to the bugreport for > > others to help resolving this. I have only quoted above what I found > > relevant for this response. > > > > > > If you tell me how, I will do so. Send your followup-emails to [EMAIL PROTECTED] instead of me privately. The bug reporting system then takes care of forwarding the message to me in addition to filing it. Please also resend you older emails only sent to me, as I will probably pass on this bugreport to openssl for them to help investigate the issue. What went wrong was that I replied both to the BTS (bug tracking system) and you privately, due to the BTS not always doing its forwarding (or me not fully understand the issues about it). You probably received two seemingly identical messages and responded to the first one (back to me) instead of the slightly delayed BTS one (with edited headers to respond both to the BTS and to me). So probably the fix is not better documentation, but that I should add a sane "Reply-To: " header when circumventing the BTS :-P > Related to that request: I am not familiar with proper bug reporting > procedure in Debian. I would appreciate it if you would tell me how I > should do (have done) this. This is a good start, I believe: http://www.debian.org/Bugs/Reporting > I would also suggest a simple little "two paragraph and a URL to FAQ" > message explaining what to do about bugs somewhere in the installer, > *especially* on non-stable releases. The official place to grab testing install images is here: http://www.debian.org/devel/debian-installer/ On that page is a link (just above "Documentation" headline) about filing bugreports against it. > Also, as has been demonstrated, Debian's organizational usage of the > severity levels doesn't quite match the bug reporter's description of > the severity levels. I'd file a bug report, but I am not familiar > with the etiquette and don't want to waste anyone's time. As I wrote earlier, my tedious explanation was more for the sake of avoiding an annoying confrontation if you would insist on the severity and considered it rude of me to change it. :-) - Jonas -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm
pgpBsowkuDlgx.pgp
Description: PGP signature
