On Tue, May 19, 2020 at 06:51:57PM -0400, Viktor Dukhovni wrote: > On Tue, May 19, 2020 at 04:08:32PM -0400, Rich Felker wrote: > > > I'm not encouraging any to do that; rather I've encouraged them to > > take measures to both: > > > > (1) ensure that DANE is not silently ignored, by either patching > > Postfix to work with old musl (prior to the above commit) or patching > > the musl package and adding a dependency from the postfix package on > > the updated musl package, and: > > Patching Postfix "work" with old MUSL would be a terrible mistake. > Please make it quite clear to them that they MUST NOT do that. > It would cause massive breakage, and just give DANE a bad name.
By patching it *to work*, I mean so that DANE is enforced correctly. Not so that it silently ignores DANE records. Sorry for not making that more clear. > > (2) not ship Postfix packages with DNSSEC/DANE disabled, because that > > would encourage admins to switch DANE off in their config files to > > "fix the breakage" after upgrading, then forget to turn it back on > > once updated packages are available to make it work. > > That's a better outcome than having DANE enabled and causing active > breakage. > > > I haven't been through this with other distros yet, but Alpine folks > > were committed to both of these principles. > > Then they still don't understand the issues well enough to do the > right thing... I think we just had a miscommunication here and we're all actually on the same page. Rich
