+1
El 26/6/24 a les 14:34, Laura Smith via dovecot ha escrit:
You are conflating OS with packages. I don't think you'll find any OS making
promises about packages.
And even if it were the case, you are expecting a community patch based on what
exactly ? OpenSSL are not releasing the code to non-premium customers, and as
Aki has repeatedly told us here, OpenSSL 3.0 is vastly different to 1.1.1, so
its not like you can expect to magically invent patch based on the OpenSSL 3.0
code (even if it may be true for a limited number of circumstances, it won't be
true for all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version of
OpenSSL, anything else is wishful thinking based on excess expectations,
frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff <lu...@lucasrolff.com> wrote:
They likely do not, but vulnerabilities reported are also patched for the
duration of the OS lifecycle. With or without premium access. Since that's what
the OS has committed to, unless they pull a redhat and deprecate an OS before
initial EOL date.
Sent from Outlook for iOS
From: Laura Smith <n5d9xq3ti233xiyif...@protonmail.ch>
Sent: Wednesday, June 26, 2024 2:06:44 PM
To: Lucas Rolff <lu...@lucasrolff.com>
Cc: Aki Tuomi <aki.tu...@open-xchange.com>; Laura Smith via dovecot
<dovecot@dovecot.org>; Michael <m...@hemathor.de>
Subject: Re: Debian Bookworm packages, please !
So you're saying other operating systems magically get access to OpenSSL
premium ? I somehow doubt it.
On Wednesday, 26 June 2024 at 13:01, Lucas Rolff <lu...@lucasrolff.com> wrote:
That Debian doesn't patch their LTS releases properly like other operating
systems, should probably be brought up with the Debian release and security
teams.
Sent from Outlook for iOS
From: Laura Smith via dovecot <dovecot@dovecot.org>
Sent: Wednesday, June 26, 2024 1:31:48 PM
To: Aki Tuomi <aki.tu...@open-xchange.com>
Cc: Laura Smith via dovecot <dovecot@dovecot.org>; Michael <m...@hemathor.de>
Subject: Re: Debian Bookworm packages, please !
The fundamental problem here is that this turns into a security problem, which
in 2024 is not a nice thing to have.
Yes, theoretically I could run the previous Debian release, 11 Bullseye which
is now EOL but in LTS until 2026.
However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches delivered by
Debian are based on public patches, so basically there will be no OpenSSL patches because
OpenSSL moved 1.1.1 to premium support only, *INCLUDING* security patches, as described
on their website ("It will no longer be receiving publicly available security fixes
after that date") https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3 package.
"be careful it's broken" is not a warning a good sysadmin takes lightly.
Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
Its all a bit of a mess. Its all a bit worrying.
Meanwhile alternatives are few and far between, and I suspect Dovecot knows
that ! The Dovecot community are left between the proverbial rock and a hard
place.
Cyrus is now dependent on the commercial goodwill of FastMail, which brings
thoughts of comparisons with Dovecot and OpenXChange.
Stalwart, whilst extraordinarily promising, needs another year or so of
development to reach v1 and mature the code.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
--
Narcis Garcia
__________
I'm using this dedicated address because personal addresses aren't
masked enough at this mail public archive. Public archive administrator
should remove and omit any @, dot and mailto combinations against
automated addresses collectors.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
