Jason A. Donenfeld wrote: > But I think it's time we take a step back and reassess the situation. > There are some critical questions that need to be answered. What > accounts for the high proportion of security vulnerabilities in a > project renowned for its brilliant developers and stringent review > processes? Do the OpenSMTPD developers have time -- and have they > displayed a presence of necessary free time -- to keep the project > healthy and moving toward stability at an acceptable pace? Have the > correct standards of releases been applied to the OpenSMTPD release > process? > > And most importantly: should OpenSMTPD continue to be a part of the > core OpenBSD project? Or should it rather spend some time maturing and > securing commitments from developers for maintaining it in a > consistent manner, before being accepted by such a reputable > organization as OpenBSD?
These questions all relate. I'm not very involved, but I can answer some of them. As I'm sure you know (but some others may not) smtpd development has been split into two branches for some time. This was to enable the development of the filtering feature. This code was developed outside the main tree precisely to allow it to mature. Unfortunately, this had the unintended consequence of marking all the code in openbsd as "deprecated". All of the openbsd developers were basically waiting for the filter branch to land to avoid too much divergence. We are working to make some adjustments in communications and attitude. I don't think the smtpd developers are to blame for this situation, because the rest of us allowed it to happen. Writing a mail server is a big project, and many of us promised our support, but then that support didn't materialize due to the above. In short, things broke down, but we have a pretty good idea why, and know what to do about it.
