[RndTbl] procmail replacement?
Trevor Cordes
trevor at tecnopolis.ca
Sat Nov 26 00:26:37 CST 2016
On 2016-11-25 Kevin McGregor wrote:
> >From https://lwn.net/Articles/416901/
> Officially, the last stable procmail release
> <ftp://ftp.informatik.rwth-aachen.de/pub/packages/procmail/> was
> version 3.22, made in September of 2001. As one might expect, there
To me this smacks of "it's old, not new and shiny, so let's abandon
it". I'm always of the school of thought that old = tried&true =
well known = better (contrast systemd).
FWIW I've used procmail exclusively on all boxes (quite a few) since
1992. Never had a problem. It has rarely had any sec
hole announcements.
The fact that it was perfected in 2001 is, to me, a sign of quality,
not the opposite. It has to do one small thing and do it well. That
it does! (contrast systemd, again) The fact I never have to think
about or worry about procmail, even across OS versions and upgrades, is
a huge plus in my book.
> >From https://marc.info/?l=openbsd-ports&m=141634350915839&w=2
>
> Executive summary: delete the procmail port; the code is not safe and
> should not be used as a basis for any further work.
That would mean something if it wasn't from the "openbsd-ports"
people! They have a different idea of "not safe" than nearly everyone
else on the planet. Their "not safe" doesn't mean "hackable", it means
"we didn't write it".
Procmail is widely used, for nearly forever, and has had a lot of hours
being hammered in production and lots of eyes looking at the code. I'm
sure those so inclined have already tried to find holes in it. Like I
said above, I think I can recall one security patch for it in the last
15 years? That's impressive. Compare to, say, phpMyAdmin, ugh.
People never keep in mind: new & shiny = bugs/holes have yet to be
found; NOT new & shiny = secure!
> wondering: If I'm going to go to the trouble to locate and install
> something (i.e. no default is available) should I go with procmail or
I would say if you and your users already know procmail (i.e. the
recipe syntax) then stay with it. If you're greenfield, then go
with whatever looks promising to you. Not sure what else fits the
bill because I'm completely satisfied with procmail!
(P.S. I would add that I wouldn't mind seeing someone compile in pcre
into procmail, but that would just be gravy.)
More information about the Roundtable
mailing list