On Tue, May 19, 2020 at 04:08:32PM -0400, Rich Felker wrote:
> I'm not encouraging any to do that; rather I've encouraged them to
> take measures to both:
>
> (1) ensure that DANE is not silently ignored, by either patching
> Postfix to work with old musl (prior to the above commit) or patching
> the musl package and adding a dependency from the postfix package on
> the updated musl package, and:
Patching Postfix "work" with old MUSL would be a terrible mistake.
Please make it quite clear to them that they MUST NOT do that.
It would cause massive breakage, and just give DANE a bad name.
> (2) not ship Postfix packages with DNSSEC/DANE disabled, because that
> would encourage admins to switch DANE off in their config files to
> "fix the breakage" after upgrading, then forget to turn it back on
> once updated packages are available to make it work.
That's a better outcome than having DANE enabled and causing active
breakage.
> I haven't been through this with other distros yet, but Alpine folks
> were committed to both of these principles.
Then they still don't understand the issues well enough to do the
right thing...
--
Viktor.
