Weekly Edition
Return to the Distributions pageRecent Features
| |||||||||||||
Packaging qmail for DebianAn effort to get the qmail mail transfer agent (MTA) into Debian repositories has run aground due to various concerns, but the overriding one seems to be a distaste for qmail itself. Distributions make package availability decisions based on "taste" all the time, but they are generally made strictly on technical grounds, which does not seem to be the case here. While it has its share of detractors, qmail is a relatively popular MTA—with an excellent security track record—and one of the main impediments, its license, has changed in the last year. Because of that, it makes it a bit hard to understand why qmail would be kept out of Debian. More than six months ago, Gerrit Pape had uploaded qmail and related packages to the ftp-master system, but they have yet to be added to the official Debian archive. He recently outlined his efforts in a post to debian-devel trying to see if he could break a kind of standoff between him and the ftpmasters, who are the folks that decide which packages get moved into the official archives. More than two months after his first upload of the packages, Pape got a reply from Joerg Jaspert outlining multiple technical reasons why the packages were being opposed, but also containing the following disheartening verdict:
Aside from these technical - and possibly fixable - problems, we (as in the
ftpteam) have discussed the issue, and we are all of the opinion that qmail
should die, and not receive support from Debian. As such we *STRONGLY*
ask you to reconsider uploading those packages.
After that, Pape addressed some, but not all, of the technical complaints and uploaded updated packages along with a reply to Jaspert's rejection on September 1. Since that time, there has been no action on the packages nor any further communication from the ftpteam, which is what led to the debian-devel post. Responses there mostly backed the ftpmaster's "decision"; qmail, it seems, is not very popular with many Debian developers. Unfortunately, some of the complaints are based on old or faulty information. There is a reasonably active upstream and, since Daniel J. Bernstein (aka djb) released the code into the public domain, there is no longer the need to patch qmail to get a sensible MTA. There are some legitimate concerns, in particular the backscatter that gets created by the default qmail configuration, but it is rather disingenuous to list security as one of those problems. While not as bulletproof as djb would have it, qmail does have a long record of few security problems. In response to claims that the Debian security team would have more work because of qmail's inclusion, Moritz Muehlenhoff makes it clear that the team won't block qmail. Florian Weimer puts it this way:
Like Moritz, I don't see issues with security support, provided that
the number of additional patches is rather small. (To my knowledge,
badly patched qmail with a SMTP AUTH bypass vulnerability was one of
the few MTAs which were actually exploited to send spam in recent
times.) I'm also not sure if upstream can be considered dead, and
arguments along that line are not very convincing because similar
criticism could be brought against our default MTA.
I can understand that people have strong feelings. I'm willing to provide security support, but it's extremely unlikely that I'll run qmail on production MTAs ever again. 8-/ In the end, it comes down to emotions, largely. People generally feel strongly about qmail, either hating it or loving it, with few who know much about it anywhere in between. Clearly the ftpteam has the responsibility to reject packages on technical grounds, but are they the arbiters of taste for Debian as well? An earlier thread about including qmail, from shortly after djb freed the code, showed a fair amount of interest in qmail, along with some opposition. It is unlikely that all Debian developers are happy with all of the packages currently supported by the distribution, so singling qmail out seems rather arbitrary. As Wouter Verhelst notes:
As long as qmail is free, packaged
properly, and integrates well with the rest of Debian, I don't see why
anyone should oppose its packaging.
Whether or not it's a good MTA, the fact is that it's a *popular* MTA. That alone should be a good reason to package it. Installing qmail has always been painful; it is a package that cries out for distribution integration, which Pape is trying to provide. Whether it gets into the official repositories or not, unofficial qmail packages do exist. If the problems with qmail are largely packaging-related, it is hard to see how they will get fixed by staying unofficial. But if the problems are based on an emotional response to qmail itself—whether based in technical concerns or not—it is hard to see how a developer can overcome them. (Log in to post comments)
Taste Posted Dec 4, 2008 3:43 UTC (Thu) by ncm (subscriber, #165) [Link] If you're going to start rejecting packages because just they're stupid and wrong, why are libxalan110 and libxerces-c28 still in the repository?The modern patched qmail codebase is not stupid and wrong, odd as it is in some ways. The real complaints about qmail have nothing to do with the code. Rather, it's that most people find it uniquely hard to maintain civil interactions with qmail promoters, and blame them for it. Probably the ftpmasters fear they would be obliged to interact with them more were it in. They're probably right about that. One can reasonably conjecture that the OpenSSH fiasco would not have devolved the way it did if upstream were easier to work with.
Taste Posted Dec 4, 2008 17:16 UTC (Thu) by felixfix (subscriber, #242) [Link]
Right on! The qmail list is one of the most abrasive I can think of. Dare to impugn qmail in any way and you'd think you were an atheist dropped into the Spanish Inquisition. I lurk there, but have long since given up asking questions; the hatred just isn't worth it, and if you get any answers, they are so cryptic as to be useless. If you try asking for clarification, the return attitude seems to be that if you aren't smart enough to understand it, you should stop trying to run qmail.
I really like a lot about qmail, especially the simple configuration of mostly just files. But the patches suck -- so many of them conflict with other patches, and there are combined patches which do 90% of what you want but add in a few things you don't want, and the patch which would provide the other 10% functionality also provides other functionality which you don't want and which conflicts with the first patch.
None of this would have happened if qmail had been GPL right from the start. The qmail inner circle has a morbid fear of the GPL, expressed as paranoia about corruption of qmail purity, as if the great unwashed masses would add enough bad code to subvert all its holy goodness.
I had great hopes that DJB's release into the public domain would cause a thousand flowers to bloom, but alas, it seems qmail may have waited too long, with all MTA work being done elsewhere, such as Postfix, and only the old grouchy fossils still working on qmail.
Taste Posted Dec 8, 2008 3:59 UTC (Mon) by xoddam (subscriber, #2322) [Link]
Speaking of taste ...
> an atheist dropped into the Spanish Inquisition
... You just described the premise of one of my all-time favourite books:
http://www.amazon.com/Knowledge-Angels-Jill-Paton-Walsh/d...
Xalan & Xerces Posted Dec 5, 2008 14:03 UTC (Fri) by alextingle (guest, #20593) [Link]
We use Xalan. I considered moving to libxslt a year or two ago, but when we benchmarked it, we found that Xalan was much much faster.
What are you specific gripes with these packages? Is there something I should know?
Xalan & Xerces Posted Dec 5, 2008 22:07 UTC (Fri) by ncm (subscriber, #165) [Link]
When last I checked (in 2001), both were badly designed (being straight-across ports of the Java libraries), unmaintained and terribly, terribly leaky. Furthermore, Xalan was half as fast as libxslt.
I suppose it's possible that things changed. Processors have different performance characteristics, compilers generate sometimes better code, and projects sometimes pick up aggressive janitors. Most likely your use case differs. I was running it on five gigabyte files in 2001, and speed and leakage mattered.
Packaging qmail for Debian Posted Dec 4, 2008 13:21 UTC (Thu) by Wummel (subscriber, #7591) [Link]
Well, I am a Debian developer and a happy qmail user.
I installed qmail on my Debian system 8 years ago, and never looked back.
I am surprised that ftp-masters are against adding qmail. There are a lot of somewhat duplicate packages (eg. todo list managers) so why not have one more smtp server?
On the positive side Debian makes it easy to install qmail from Gerrit Papes repository (linked in the article). Just add another line in /etc/apt/sources.list and you are done.
Packaging qmail for Debian Posted Dec 4, 2008 13:39 UTC (Thu) by duck (guest, #4444) [Link]
FTPmasters are of course free to have as many opinions as everybody else.
I do not mind if they wish that a specific project or piece of software disappears. However, if they base their decision to accept other people's work (which is highly valued by some debian users) on their personal feelings about a project instead of hard facts, they are plainly exercising censorship.
The ftpteam must be removed. ASAP.
Packaging qmail for Debian Posted Dec 5, 2008 4:16 UTC (Fri) by bronson (subscriber, #4806) [Link]
> The ftpteam must be removed. ASAP.
Haha, yeah! Just make the upload password "anonymous" and let everyone upload their own packages.
Packaging qmail for Debian Posted Dec 5, 2008 10:26 UTC (Fri) by duck (guest, #4444) [Link]
:-)
You are right, of course. I want them exchanged
Packaging qmail for Debian Posted Dec 4, 2008 16:25 UTC (Thu) by skvidal (subscriber, #3094) [Link]
This might just be my own perspective but was this a news report or an editorial? There are lots of comments in this article which fairly obviously show the bias of someone in favor of qmail coming into debian. Which is a bit unfair if this is a news article about that debate.
Packaging qmail for Debian Posted Dec 4, 2008 17:12 UTC (Thu) by jake (editor, #205) [Link]
> There are lots of comments in this article which fairly obviously show the
> bias of someone in favor of qmail coming into debian.
Sorry it came across that way as I truly have no opinion about whether Debian should have qmail or not. It *does* seem puzzling to me that a small group could block the inclusion of a popular MTA based on what seem to me to be fairly arbitrary biases, some incorrect ones at that. The process seems broken to me and I was trying to make that opinion clear in the article.
In general, we aren't shy about making our opinion known in our articles here, so long as readers can separate the opinion from the fact. However, giving my opinion, but having it misconstrued, is one of my specialties :) That is something I need to get better at avoiding.
jake
Packaging qmail for Debian Posted Dec 5, 2008 13:45 UTC (Fri) by nhippi (subscriber, #34640) [Link]
> ...are they the arbiters of taste for Debian as well?
There is a difference between "being the arbiter of taste" and just expressing your personal taste. Notice that he specifically asks to reconsider rather than flat out deny.
> It *does* seem puzzling to me that a small group could block the inclusion
I'd see the process broken only if they block it merely on taste, even after all the technical issues are fixed and incorrect biases have been corrected.
The real problem here is the slowness in processing of ALL new packages by ftp-master.
Packaging qmail for Debian Posted Dec 6, 2008 1:43 UTC (Sat) by hingo (guest, #14792) [Link] Jake, IMHO this was one of your better articles ever written during your LWN tenure. In fact, only now I realise it was yours and not Jonathan's. I'd say this article's combines a perfect balance of fact, reason and opinion. Not to mention substance, which is to write about something that matters - having an opinion on something that doesn't really matter... well, why would I read that.I really have to admire you for living up to the high standards set by Mr Corbet. Congrats!
Packaging qmail for Debian Posted Dec 6, 2008 3:09 UTC (Sat) by dmag (subscriber, #17775) [Link]
If there is "bias" in this article, I don't see it.
Jake is saying that Qmail (As a large, well-known free project) should have a presumption of inclusion. The FTP Team should not block things (or even threaten to block things) just because it makes their lives simpler. The arguments that the FTP Team gave just don't hold water, so the ball is in their court.
One thing that could have been made clearer: Is the multi-month delay normal, or is that evidence of foot-dragging?
Hopefully one of 3 things happens:
I for one am glad this article was written. (As with all of LWN!)
-=Dan=-
Packaging qmail for Debian Posted Dec 4, 2008 18:05 UTC (Thu) by clugstj (subscriber, #4020) [Link]
Well, I read the article as a disinterested party and would have to say that it is not biased. The facts demonstrate that the "ftpteam" dislike and are blocking qmail for non-technical reasons. If you have a strong opinion on this issue, then I would humbly submit that the bias may be yours.
Packaging qmail for Debian Posted Dec 4, 2008 18:16 UTC (Thu) by skvidal (subscriber, #3094) [Link]
I don't work on debian nor work on qmail, or, for that matter, any smtp daemon. That's why I was surprised at how much bias I noticed in the article.
Packaging qmail for Debian Posted Dec 4, 2008 18:45 UTC (Thu) by ncm (subscriber, #165) [Link] What I got was that jake is genuinely mystified at the resistance -- understandably, because the real reasons for it are not discussed. It's clear that by Debian's normal cultural mores, qmail should be in.My guess is that if the ftp team (unfortunate name, by the way) could be sure they would never need to deal with typical qmail promoters, they would have no problem with qmail itself. Imagine, for example, an actually sane person committed to resolving all qmail-related details, and to shielding them from such contact. However, to make such a commitment would disqualify that person. With SSH, there is no choice, but we have lots of MTAs.
Packaging qmail for Debian Posted Dec 4, 2008 18:35 UTC (Thu) by jmm (subscriber, #34596) [Link]
It should be noted that Qmail is already part of Debian non-free since more than 10 years:
http://packages.debian.org/changelogs/pool/non-free/q/qma...
Packaging qmail for Debian Posted Dec 8, 2008 21:41 UTC (Mon) by branden (subscriber, #7029) [Link]
Now that's a good point. And uploaded as recently as September.
For me, this sheds new light on the old "keep non-free in Debian" wars. If only I had realized back then that qmail wasn't really "in" Debian because it was merely available in the non-free section.
If we'd just given non-free the boot years ago, then by definition we couldn't have been depriving people of say, qmail, because it already wasn't there. Since it isn't, we know why such importance is placed on getting it into into main...
Packaging qmail for Debian Posted Dec 11, 2008 10:47 UTC (Thu) by hensema (guest, #980) [Link]
I don't oppose to packaging qmail in any distribution, including debian. However PLEASE don't EVER package qmail in the default backscatter producing configuration. Such installs should be banned from the internet (placing them on DNSBLs on sight is a very good first step).
qmail may be secure to the site administrator, it's a security nightmare to the rest of the internet. It's a piece of anti-social software. Please make it impossible for qmail to generate bounces when it can and should generate rejects.
|
|||||||||||||