On Oct 29, 2014 11:33 AM, "Miloslav Trmač" <m...@redhat.com> wrote: > > ----- Original Message ----- > > I created a new bug [1] that explains that ssmtp is sending all cron > > jobs output to an external SMTP server. I marked it as a security bug, > > the security tag was removed and it was recommend to make it public, > > something I can't do. I will resume the problem here, because there are > > comments that says that it isn't a security bug, I disagree: > > > > 1- Fedora 20 shipped with the feature of not running a SMTP server by > > default, I was fine with it because I don't need to send emails or > > receive emails locally using it. > > > > 2- an update pulled ssmtp > > > > Apr 20 19:06:14 Installed: ssmtp-2.64-11.fc20.x86_64 > > Apr 20 19:06:15 Updated: 1:smartmontools-6.2-5.fc20.x86_64 > > > > 3- ssmtp is configured by default to send emails to a host named mail > > > > 4- If a cron jobs runs the email is sent to mail.[your.domain] without > > you ever configuring that. > > This is certainly not a reasonable default configuration for Fedora. > > While I think that it is not a reasonable default configuration for ssmtp at all, I could be persuaded otherwise; but in that case, it should never be installed by _anything_ that isn’t an explicit user’s choice (i.e. no dependencies direct or indirect, no comps group presence, and ideally/overzealously? an automated test that makes installing ssmtp in a default product configuration a release blocker).
Given that PackageKit can install things with minimal authentication, this seems fragile. Why not change cron's default config instead? --Andy > Mirek > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
