Renaud Allard <renaud@allard.it> wrote:
> On 30/09/2023 16:32, Theo de Raadt wrote:
> > I'll try to summarize my point.
> >
> > When less-secure AND more-secure pieces of software exist in the
> > the same role/service area, I think it is valid for developers who
> > care about security of their userbase to *DEMOTE* the less-secure
> > variations.
> >
> > This kind of "hide the garbage" policy needs to exist somewhere
> > in the greater community, otherwise we have a situation where
> > software use is decided by "oh look, it is pretty".
> >
>
> You are the captain of this boat. I think if there are bad fishes, you
> will take the right decision.
I don't make any decisions in ports, I can only make comments.
> After some discussion in the exim IRC channel, I am not sure there will
> be fixes for everything soon. Given that one of the issues is in libspf2
> and there have been no updates in this project since 2021. Maybe we
> should discard libspf2 too then, which means also milter-greylist.
> Maybe it's time for a good cleanup.
Well, contrast that with the 4 layers of defence added inside ssh-agent for
dlopen being a broken interface.
You do what you do....
No comments:
Post a Comment