Re: [exim] Getting the latest version for Debian Wheezy

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Michael Grant
Date:  
À: Klaus Ethgen, exim-users
Sujet: Re: [exim] Getting the latest version for Debian Wheezy
Hi Klaus,

On Sat, Jul 12, 2014 at 9:20 AM, Klaus Ethgen <Klaus+exim@???> wrote:

> Hi,
>
> Am Sa den 12. Jul 2014 um 1:05 schrieb Michael Grant:
> > Does anyone on this list know what the state of getting 4.82.1 (or
> > whatever is latest) into the backports repository for Debian is?
>
> You can add a wishlist bug for it.
>
> > It seems like this is quite urgent as there are some serious sounding
> > security fixes since 4.80!
>
> I don't think so. Without explicitly checking all the patches, but
> debian usually backports security relevant patches to the stable
> distribution.
>


I urge you to go look at what got fixed between 4.80 and 4.82 then (
https://lists.exim.org/lurker/list/exim-announce.html). There's a DKIM
hole that got patched that sounds pretty serious if you use DKIM. The
latest version in Debian's wheezy distribution is 4.80 from 02-Jan-2013 --
more than 18 months ago! There is no back-port from Jessie. Why? Still
don't think so?

Are you implying that debian has in fact patched these security problems
but still calls it 4.80? I'm finding that hard to believe.

>
> If you find a unfixed security bug you can create a bugreport with sever
> severity.
>


It's true, I can do this, however, I'm not the person who builds exim on
debian, I just came along the other day and started using it because I
needed a mailer! What you are saying implies a much larger problem that
there's no orderly way to feed release info into the distributions.

Exim, like many other open source projects, has an announce list.
Shouldn't someone who looks after security and back-ports be monitoring
the announce list and dealing with these occasional events? I can
understand lagging behind a few weeks or months for something less used,
but Exim is hugely popular, used everywhere! I'm just so surprised when
you tell me I can file a bug report to motivate someone to do something.

And, the fact that someone did compile 4.82 for Debian Jessie (the testing
release), there is someone out there who is interested in Exim on Debian.

>
> > Or is there some other source out there that has the latest exim for
> > wheezy that I could add to my sources.list file?
>
> Especially if you care about security, you will not use some random
> debian repository. There are only two alternatives:
>


Well frankly, I was not fishing for a random personal repository, sometimes
there are well known repos out there that people use, like if exim.org had
one, I'd likely trust it.


> 1. Using the debian one which might not be the newest version but they
>    care about security

>


Exactly, but there isn't, and that's the entire purpose of my message.

2. Using a self compiled version with the back draw that you have to
>    care about the security by yourself.

>


I tried compiling it but it seems to suck in a lot of dependencies and
there are modifications which seem to have been made for debian (paths to
config files and such). I can probably get it to make but going back to
compiling from source defeats the entire purpose of having a package
repository, and my decisions of where to put things are likely not going to
match the package maintainers which means I'm stuck always updating it from
source.

>
> Regards
>    Klaus
> - --

>
>