Re: [exim-dev] XCLIENT patch to Exim; Cambridge

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Phil Pennock
Datum:  
To: Jeremy Harris
CC: exim-dev
Betreff: Re: [exim-dev] XCLIENT patch to Exim; Cambridge
On 2015-01-16 at 00:52 +0000, Jeremy Harris wrote:
> We need, I think:
> - project sponsor


If Tony, at Cam, can handle it, that would be ideal; otherwise, I seem
to have already done more work than we usually do for any feature being
merged from a submitted patch. ;)

(Of course, we also need more committers ...)

> -- delivery positioning (experimental?)


Yes. At least until we have tests, which means figuring out how to
test, a test framework, etc etc. None of which is trivial, so this is
the sort of thing which goes in as EXPERIMENTAL_XCLIENT as a "this code
exists, we might break it still" bucket.

> -- legal chasing


We appear to have approval to include, so done.

> - coder/architect
> -- builds, testcases, documentation
> -- security review (coding, operational constraints, logging)
> -- feature-incompatibility (proxy-protocol? TLS? X509 certs?)
> -- coding standards
> -- feature spinoffs (xcode string expansions?)


This should just be incompatible with proxy protocol, but with a note
that there's no _useful_ interaction with TLS, as you're only verifying
the connection from the loadbalancer, not from the end-client, and
XCLIENT does not support passing on attributes of the TLS session,
not even that there is one. So this limits authentication restriction
to TLS and makes it impossible for gsasl users to set up channel binding
information (which, currently, is not a loss since the current channel
binding data turns out to be a security hole resulting from TLS
problems).

We have coding standards? I mean, that's cool, but that's also new. We
should have them. What's the proposal? Are we also looking at using a
decent code-review tool?

> [ I'm hoping you're setting yourself up for both roles... ]


I can do a security review and one-time merge, but can't commit to more
than that; I haven't even found time to look at the DANE work. :(
There's also hummus/tahini stuff to do first, on my plate for when I
have Exim time.

I mostly just blinked at seeing XCLIENT in the list of build options on
FreeBSD for a system where I stick to Ports, after the recent work added
to the build-options so I got reprompted during a poudriere run.

-Phil