I suggest you descent rapidly off your high horse Scott, for two reasons:
- I know people how have approached OpenXChange for commercial Dovecot support. TL;DR OpenXChange are basically not interested unless you're going to spend the big-bucks (i.e. if you're not a major ISP/Telco or something, forget about it).
- As Aki has demonstrated with his denigration of the 2.3 patches in the Debian tree, they are clearly not particularly interested in contributions to make 2.3 OpenSSL 3.0 compatible.
- Perhaps most importantly, As Aki has stated, they have no intention in making 2.3 OpenSSL 3.0 compatible ... ergo they would never merge my patch into the tree ... ergo it will never be on the Dovecot repo ... ergo I would have wasted my time.
On Wednesday, 26 June 2024 at 14:47, Scott Q. qmail@top-consulting.net wrote:
Hi Laura, I understand your frustration but if you are relying on Dovecot for a commercial solution, I believe your anger is misguided. The open source project has no duty nor do they have to guarantee anything. Open source means everyone can contribute, but in this case, only one major contributor exists.
My advice for anyone facing similar frustrations is to contribute the proper code to 2.3 to make it compatible with OpenSSL 3.0. Failing that, you can hire competent programmers and have them contribute the code to the public GitHub repository.
No, I don't work for OpenXChange but I do maintain a few open source projects and am accustomed to people's expectations to get commercial grade software...for free.
Cheers
On Wednesday, 26/06/2024 at 08:34 Laura Smith via dovecot wrote:
You are conflating OS with packages. I don't think you'll find any OS making promises about packages.
And even if it were the case, you are expecting a community patch based on what exactly ? OpenSSL are not releasing the code to non-premium customers, and as Aki has repeatedly told us here, OpenSSL 3.0 is vastly different to 1.1.1, so its not like you can expect to magically invent patch based on the OpenSSL 3.0 code (even if it may be true for a limited number of circumstances, it won't be true for all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version of OpenSSL, anything else is wishful thinking based on excess expectations, frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff lucas@lucasrolff.com wrote:
They likely do not, but vulnerabilities reported are also patched for the duration of the OS lifecycle. With or without premium access. Since that's what the OS has committed to, unless they pull a redhat and deprecate an OS before initial EOL date.
Sent from Outlook for iOS
From: Laura Smith n5d9xq3ti233xiyif2vp@protonmail.ch Sent: Wednesday, June 26, 2024 2:06:44 PM To: Lucas Rolff lucas@lucasrolff.com Cc: Aki Tuomi aki.tuomi@open-xchange.com; Laura Smith via dovecot dovecot@dovecot.org; Michael ml@hemathor.de Subject: Re: Debian Bookworm packages, please !
So you're saying other operating systems magically get access to OpenSSL premium ? I somehow doubt it.
On Wednesday, 26 June 2024 at 13:01, Lucas Rolff lucas@lucasrolff.com wrote:
That Debian doesn't patch their LTS releases properly like other operating systems, should probably be brought up with the Debian release and security teams.
Sent from Outlook for iOS
From: Laura Smith via dovecot dovecot@dovecot.org Sent: Wednesday, June 26, 2024 1:31:48 PM To: Aki Tuomi aki.tuomi@open-xchange.com Cc: Laura Smith via dovecot dovecot@dovecot.org; Michael ml@hemathor.de Subject: Re: Debian Bookworm packages, please !
The fundamental problem here is that this turns into a security problem, which in 2024 is not a nice thing to have.
Yes, theoretically I could run the previous Debian release, 11 Bullseye which is now EOL but in LTS until 2026.
However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches delivered by Debian are based on public patches, so basically there will be no OpenSSL patches because OpenSSL moved 1.1.1 to premium support only, *INCLUDING* security patches, as described on their website ("It will no longer be receiving publicly available security fixes after that date") https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3 package. "be careful it's broken" is not a warning a good sysadmin takes lightly.
Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
Its all a bit of a mess. Its all a bit worrying.
Meanwhile alternatives are few and far between, and I suspect Dovecot knows that ! The Dovecot community are left between the proverbial rock and a hard place.
Cyrus is now dependent on the commercial goodwill of FastMail, which brings thoughts of comparisons with Dovecot and OpenXChange.
Stalwart, whilst extraordinarily promising, needs another year or so of development to reach v1 and mature the code.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org