This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Re: Do we need a new maintainer for fetchmail?
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin-apps at cygwin dot com
- Cc: Jason Tishler <jason at tishler dot net>
- Date: Tue, 30 Nov 2010 13:42:12 +0100
- Subject: Re: Do we need a new maintainer for fetchmail?
- References: <4CF445B3.7060104@gmx.de>
- Reply-to: cygwin-apps at cygwin dot com
On Nov 30 01:30, Matthias Andree wrote:
> Greetings,
>
> the fetchmail package for Cygwin is at version 6.3.9, released two years ago,
> and with known security vulnerabilities and errata:
>
> CVE-2009-2666 - improper TLS cert validation allows MITM attacks to go unnoticed
> CVE-2010-1167 - heap overflow in verbose mode
> EN-2010-03 - improper SASL/AUTH implementation causes bogus auth failures
>
> And a gazillion of bugfixes since 6.3.9 provided in [1], including critical
> fixes for long-standing bugs.
>
> Fetchmail does not currently require Cygwin-specific patches.
Cool!
> I have provided Jason Tishler with up to date packages for the current fetchmail
> 6.3.18 package (with selected upstream fixes from post-6.3.18 Git) a fortnight
> ago, built on Cygwin 1.7.7 32-bit (Win 7), without any response.
Well, that could mean he just has very limited time right now or he's
on vacation.
> I don't mean to take over maintainership, but -- can we do non-maintainer
> updates in such situations?
Thanks for the offer, but we don't do that, usually. I understand that,
as an upstream maintainer, you're keen to see a more up-to-date and more
bug-free version of fetchmail in the distro. However, unless the
maintainer steps down officially, and unless another person volunteers
to take over maintainership of a package, we don't take new versions
of a package. While we have a couple of currently unmaintained/orphaned
packages, in general we only really like packages which have a distro
maintainer.
So, first I'd really like to get a word from you, Jason.
If Jason is AWOL for a longer period of time (which I doubt, since he
was still active on the cygwin list early November), then we can talk
about taking over maintainership, if that's an option for you.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat