Procmail got updated!

Matthias Andree matthias.andree at gmx.de
Tue Dec 19 18:04:07 UTC 2017


Am 19.12.2017 um 01:30 schrieb Ted Hatfield:
>
>
> On Mon, 18 Dec 2017, Matthias Andree wrote:
>
>> Am 18.12.2017 um 00:17 schrieb Dave Horsfall:
>>> Doing my regular update, and...
>>>
>>>     Upgrading procmail from 3.22_9 to 3.22_10...
>>>
>>> Good grief; who's the masochist who volunteered to support this
>>> obscure insecure and hitherto-unsupported scripting language?
>>>
>> https://svnweb.freebsd.org/ports?view=revision&revision=455800
>>
>> I'd agree we should pull the plug on the package. We'll be in for the
>> usual "but it works for me" screaming of the irresponsible people who
>> don't care (and most of them won't know that they need to write the
>> exception/error handling themselves in their .procmailrc recipes).
>>
>> Sunpoet, can we mark the port as deprecated given that even the upstream
>> once said it should best be abolished? I can't find the reference now,
>> the procmail.org website displays "Site hosting in transit, information
>> will be back up shortly."
>>
>
> Dear Matthias,
>
> As one of the "irresponsible" people who is still using procmail on
> our systems and has built an number of scripts and customer
> infrastructure around it I take exception to the term irresponsible. 
> Perhaps the better word is overworked.  If I had the time to move to
> dovecot/sieve or maildrop as a local delivery agent I would have done
> so by now.
>
> Ted Hatfield

Dear Ted, Eugene,

I think if the procmail language were a bit more "regular", someone
would have written converter scripts long ago by now.

Other than that, I find it hard to believe that people don't have time
for over x in [3; 17] years to migrate, which in many cases would in my
book be more a situation of "I don't want to..." rather than "I am
unable to...". I don't mean to judge your situation, just that to me it
looks a matter that you have not yet found it important enough to bother.

Given that the former maintainer asked OpenBSD to pull the plug on the
port already 37 months ago (see here
<https://marc.info/?l=openbsd-ports&m=141634350915839&w=2>) after
findings from fuzzing, and now to see security updates to a defunct
upstream port, I don't think we should keep the port around for much
longer. The expiration I was proposing isn't "axe it out now", we would
not normally do that, and it's at the maintainer's (i. e. sunpoet@'s)
discretion what expiration date, if any, will be set.

But the question if we as downstream packagers/providers want to step in
for a package abolished by the upstream almost a generation ago, is one
that needs serious consideration. I wouldn't endorse that the project
waste time on decrepit ports for which decent alternatives exist.


Best,
Matthias





More information about the freebsd-ports mailing list