Why do you care about the repo then ? Use the patch locally,
publish it, etc. You care about OpenSSL 3.0 compatibility right ? What
do you care if it's in the public tree or not.
Again, no open source project has any responsibility to make sure you
can function the way you want to. It's nothing more than
entitlement.
In your stead, I'd be happy and say thank you that a serious company
is making such a huge public/free contribution.
Cheers
On Wednesday, 26/06/2024 at 14:04 Laura Smith wrote:
I suggest you descent rapidly off your high horse Scott, for two
reasons:
* I know people how have approached OpenXChange for commercial
Dovecot support. TL;DR OpenXChange are basically not interested unless
you're going to spend the big-bucks (i.e. if you're not a major
ISP/Telco or something, forget about it).
* As Aki has demonstrated with his denigration of the 2.3 patches in
the Debian tree, they are clearly not particularly interested in
contributions to make 2.3 OpenSSL 3.0 compatible.
* Perhaps most importantly, As Aki has stated, they have no intention
in making 2.3 OpenSSL 3.0 compatible ... ergo they would never merge
my patch into the tree ... ergo it will never be on the Dovecot repo
... ergo I would have wasted my time.
On Wednesday, 26 June 2024 at 14:47, Scott Q. wrote:
Hi Laura,
I understand your frustration but if you are relying on Dovecot for a
commercial solution, I believe your anger is misguided. The open
source project has no duty nor do they have to guarantee anything.
Open source means everyone can contribute, but in this case, only one
major contributor exists.
My advice for anyone facing similar frustrations is to contribute the
proper code to 2.3 to make it compatible with OpenSSL 3.0. Failing
that, you can hire competent programmers and have them contribute the
code to the public GitHub repository.
No, I don't work for OpenXChange but I do maintain a few open source
projects and am accustomed to people's expectations to get commercial
grade software...for free.
Cheers
On Wednesday, 26/06/2024 at 08:34 Laura Smith via dovecot wrote:
You are conflating OS with packages. I don't think you'll find any
OS making promises about packages.
And even if it were the case, you are expecting a community patch
based on what exactly ? OpenSSL are not releasing the code to
non-premium customers, and as Aki has repeatedly told us here, OpenSSL
3.0 is vastly different to 1.1.1, so its not like you can expect to
magically invent patch based on the OpenSSL 3.0 code (even if it may
be true for a limited number of circumstances, it won't be true for
all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version
of OpenSSL, anything else is wishful thinking based on excess
expectations, frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff wrote:
> They likely do not, but vulnerabilities reported are also patched
for the duration of the OS lifecycle. With or without premium access.
Since that's what the OS has committed to, unless they pull a redhat
and deprecate an OS before initial EOL date.
>
> Sent from Outlook for iOS
>
> From: Laura Smith
> Sent: Wednesday, June 26, 2024 2:06:44 PM
> To: Lucas Rolff
> Cc: Aki Tuomi ; Laura Smith via dovecot ; Michael
> Subject: Re: Debian Bookworm packages, please !
>
> So you're saying other operating systems magically get access to
OpenSSL premium ? I somehow doubt it.
>
>
>
>
> On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
>
> > That Debian doesn't patch their LTS releases properly like other
operating systems, should probably be brought up with the Debian
release and security teams.
> >
> > Sent from Outlook for iOS
> >
> > From: Laura Smith via dovecot
> > Sent: Wednesday, June 26, 2024 1:31:48 PM
> > To: Aki Tuomi
> > Cc: Laura Smith via dovecot ; Michael
> > Subject: Re: Debian Bookworm packages, please !
> >
> > The fundamental problem here is that this turns into a security
problem, which in 2024 is not a nice thing to have.
> >
> > Yes, theoretically I could run the previous Debian release, 11
Bullseye which is now EOL but in LTS until 2026.
> >
> > However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS
patches delivered by Debian are based on public patches, so basically
there will be no OpenSSL patches because OpenSSL moved 1.1.1 to
premium support only, *INCLUDING* security patches, as described on
their website ("It will no longer be receiving publicly available
security fixes after that date")
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
> >
> > Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian
provided 2.3 package. "be careful it's broken" is not a warning a good
sysadmin takes lightly.
> >
> > Meanwhile, if we're lucky, we might get 2.4 this side of Christmas
2024.
> >
> > Its all a bit of a mess. Its all a bit worrying.
> >
> > Meanwhile alternatives are few and far between, and I suspect
Dovecot knows that ! The Dovecot community are left between the
proverbial rock and a hard place.
> >
> > Cyrus is now dependent on the commercial goodwill of FastMail,
which brings thoughts of comparisons with Dovecot and OpenXChange.
> >
> > Stalwart, whilst extraordinarily promising, needs another year or
so of development to reach v1 and mature the code.
> > _______________________________________________
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
