On Sep 8, 2009, at 6:16 PM, mouss wrote:
- every time I hear "zlib", someting like "vulnerability" hits my ears.
Well, you inspired me to finally implement a prevention method against almost all vulnerabilities there could be in zlib: http://hg.dovecot.org/dovecot-1.2/rev/b359aac78f92 I had been planning this since the beginning, but since few people used zlib plugin I guess I always just treated it as second class citizen and thought other things were more important. And sure, that patch doesn't help if users have some other way of writing files to maildir, but in typical setups I would now consider using zlib plugin safe.
so if I can vote, I'd say no to zlib integration. this applies to dovecot too. unfortunately, it seems that Timo is "too open", which makes the "with security in mind" of dovecot debatable at least. is it time to move back to courier?
I try to keep the defaults secure, but I also understand that others just want the best performance and fancy features.
