https://bugzilla.redhat.com/show_bug.cgi?id=1517572 Petr Pisar <ppisar@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ppisar@xxxxxxxxxx --- Comment #4 from Petr Pisar <ppisar@xxxxxxxxxx> --- lrzip is not only orphaned. It's actually retired. The reason is it contains various security flaws, the upstream is not willing to fix them, other maintainers cannot because the format of the archive has never been specified and moreover it bundles ancient zpaq library (that's part of the vulnerability) that even the lrzip's author cannot unbundle or replace with an up-to-date version because he does not understand the zpaq internals to adjust it to lrzip's needs. In my opinion, amavis should not hard-require various unpacking tools. There are myriads of obscure formats that would drag in obscure and usually unmaintained tools and many of them are not even packaged in the distribution. Using these crappy tools would actually create a new attack vector against the SMTP server and thus actually lowered the security of the whole system. I would prefer if these dependencies were made optional (Recommends or Suggests on RPM level) and amavis should be able to cope with their unavailability (to log that it saw an message that it was unable to unpack, or per an configuration to discard the message because it was unable to inspect it). -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ perl-devel mailing list -- perl-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to perl-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
