movemail

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

movemail

Richard Stallman
[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Should we delete the movemail program, given these problems with it?

configure: WARNING: This configuration installs a 'movemail' program
that retrieves POP3 email via only insecure channels.
To omit insecure POP3, you can use './configure --without-pop'.
configure: You might want to install GNU Mailutils
<http://mailutils.org> and use './configure --with-mailutils'.

--
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: movemail

Eli Zaretskii
> From: Richard Stallman <[hidden email]>
> Date: Mon, 31 Jul 2017 21:19:52 -0400
>
> Should we delete the movemail program, given these problems with it?

No, because non-Posix systems have no choice but use it.  Gnu
Mailutils are blatantly Posix-centric and don't build on anything
else.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: movemail

Paul Eggert
>> Should we delete the movemail program, given these problems with it?
> No, because non-Posix systems have no choice but use it.  Gnu
> Mailutils are blatantly Posix-centric and don't build on anything
> else.

Instead of deleting movemail, we could change 'configure' so that
'--without-pop' is the default. This wouldn't affect platforms that use GNU
Mailutils, and would improve security on other platforms' default installation.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: movemail

Eli Zaretskii
> Cc: [hidden email]
> From: Paul Eggert <[hidden email]>
> Date: Tue, 1 Aug 2017 09:18:57 -0700
>
> >> Should we delete the movemail program, given these problems with it?
> > No, because non-Posix systems have no choice but use it.  Gnu
> > Mailutils are blatantly Posix-centric and don't build on anything
> > else.
>
> Instead of deleting movemail, we could change 'configure' so that
> '--without-pop' is the default. This wouldn't affect platforms that use GNU
> Mailutils, and would improve security on other platforms' default installation.

Once again, since the main mass of users of this program seems no
longer to dwell on Posix platforms, please do NOT take away the POP3
option by default.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: movemail

Tim Cross-5
Do we have any figures on the percentage of users on different platforms and of those, how many of them actually need this insecure POP3 functionality?  I would have thought very few users actually need the movemail feature, especially on non-POSIX systems. Also, why is an insecure pop3 process the only solution or is it really the only solution because nobody has put time into a better secure solution?

On 2 August 2017 at 04:46, Eli Zaretskii <[hidden email]> wrote:
> Cc: [hidden email]
> From: Paul Eggert <[hidden email]>
> Date: Tue, 1 Aug 2017 09:18:57 -0700
>
> >> Should we delete the movemail program, given these problems with it?
> > No, because non-Posix systems have no choice but use it.  Gnu
> > Mailutils are blatantly Posix-centric and don't build on anything
> > else.
>
> Instead of deleting movemail, we could change 'configure' so that
> '--without-pop' is the default. This wouldn't affect platforms that use GNU
> Mailutils, and would improve security on other platforms' default installation.

Once again, since the main mass of users of this program seems no
longer to dwell on Posix platforms, please do NOT take away the POP3
option by default.




--
regards,

Tim

--
Tim Cross

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: movemail

Paul Eggert
Tim Cross wrote:
> Do we have any figures on the percentage of users on different platforms
> and of those, how many of them actually need this insecure POP3
> functionality?  I would have thought very few users actually need the
> movemail feature, especially on non-POSIX systems.

I don't know of any figures. Perhaps we could get a feeling for it by having
Emacs warn the user at runtime if movemail is used in POP mode, as this is quite
insecure.

> why is an insecure
> pop3 process the only solution or is it really the only solution because
> nobody has put time into a better secure solution?

The latter, in the sense that the "better secure solution" is GNU Mailutils
(where people have put in the time). Unfortunately GNU Mailutils has not been
ported to MS-Windows.

At some point I suppose we should make --with-mailutils the default, at least on
non-MS-Windows hosts that have GNU Mailutils installed.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: movemail

Eli Zaretskii
> Cc: [hidden email], Emacs developers <[hidden email]>
> From: Paul Eggert <[hidden email]>
> Date: Wed, 2 Aug 2017 01:11:11 -0700
>
> At some point I suppose we should make --with-mailutils the default, at least on
> non-MS-Windows hosts that have GNU Mailutils installed.

I'm okay with that.  We could do that right now, unless there are some
disadvantages.  (Why didn't we do that till now?)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: movemail

Paul Eggert
Eli Zaretskii wrote:
> We could do that right now, unless there are some
> disadvantages.  (Why didn't we do that till now?)

Haven't a clue. I installed the attached.

0001-Default-to-with-mailutils-if-it-is-installed.patch (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: movemail

Richard Stallman
In reply to this post by Paul Eggert
[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > The latter, in the sense that the "better secure solution" is GNU Mailutils
  > (where people have put in the time). Unfortunately GNU Mailutils has not been
  > ported to MS-Windows.

It is unfortunate for those who use Windows -- but then, using Windows
is itself a much greater misfortune.

If people implement Windows support in GNU Movemail, we will accept
that code following our usual practices.  But if someone asks me
whether to implement Windows support in GNU Movemail, or write something
that makes the GNU system better, we will say that the latter is what
advances our cause.

--
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: movemail

Nix-15
In reply to this post by Eli Zaretskii
On 1 Aug 2017, Eli Zaretskii told this:

>> From: Richard Stallman <[hidden email]>
>> Date: Mon, 31 Jul 2017 21:19:52 -0400
>>
>> Should we delete the movemail program, given these problems with it?
>
> No, because non-Posix systems have no choice but use it.  Gnu
> Mailutils are blatantly Posix-centric and don't build on anything
> else.

Also, if you disable POP, movemail is still used to shuffle mail from
one place to another on the local filesystem. (It just doesn't do any
network access any more.)

--
NULL && (void)

Loading...