uw-imap problems with latest emerge 2004c-r3

[Paul Forgey]

Just just emerged the latest uw-imapd 2004c-r3 a few minutes ago. It no longer logs users in unless the connection is over ssl. When failing the authentication, it logs "account disabled". It does this for _all_ accounts which are able to authenticate just fine for other services including telnet, ftp and ssh. Again, imap ssl connections work.

How do I either fix this or back out of the latest update?

[wokan]

I'm experiencing the same difficulties. Originally I didn't think it was imap causing the problem as only my wife was having difficulty getting her email. I was using it just fine from work, but at work I access my home imap via SSL.
_________________
Digital Wokan
Tribal Mage of the Electronics Age

[Paul Forgey]

[j-m]

[andyjeffries]

[j-m]

Always read the Changelog before ugprading server packages... At least do

[andyjeffries]

[j-m]

OK, so disagree. Otherwise, "clearonlyssl" makes no sense. You would have no problems if you read the changelog before upgrading.

[GamesBond]

I don't agree, this just breaks stuff that has been working before.

At *least* the ebuild should have paused and have given a prompt to continue with a warning

This sucks

[j-m]

[ticho]

All I can say to this, is that those who blindly update production services deserve what they get. When upgrading a package, one really should have a look at what exactly is new, and decide to upgrade or not to upgrade. Gentoo even provides you with convenient ways to ignore a certain upgrade (package.mask).

Another thing - ewarn/einfo messages are meant to be read by the admin, and that's *YOU*.
_________________
The more you depend on forces outside yourself, the more you are dominated by them.

[tparker]

uw-imap isn't the only example of something suddenly 'broken' due to an upgrade - I frequently have problems with suidperl, and also other packages (which ones evade me at this minute). Yes, I agree that the changelog is there for a reason and should be read - except a further problem exists where certain packages (such as perl) are often automatically upgraded as a dependency to something else. It is very time consuming / troublesome each time to check through a whole list of dependencies just to upgrade one package - especially when half the time updates are only revision updates. (I often wonder how much electricity worldwide is wasted on re-compilation of packages en-masse by Gentoo systems).

I think a better way of securing a package would not be to change a mechanism over night, but to keep things as they are but supporting a USE flag that would compile a more secure version. Right now it's the other way round - users are forced to use the secure version unless they specify otherwise.

BTW , "emerge -aDpvl uw-imap" doesn't show me any change log. All I get is:

[langthang]

[j-m]

[labrador]

Can anyone name one other service where the default level of
security must be set through a USE variable?

If you want to build a tighter box by default, you set it up in a config file.
Disable imap by default and add a comment encouraging secure.

You should never require recompiling to achieve a security setting

There are many of us that don't need arm twisting to make tighter
security as it just doesn't apply. In my home LAN, I am not
concerned with someone picking up passwords over the one hop
between client and IMAP server. It just isn't going to happen.
I should be able to use as many clear text authentication
services as I feel like, without being forced to jump through
hoops like this that have no precedent.

As for watching emerge builds for ewarnings, this continues to
be a joke. No one watches this for the hours it sometimes
takes to build a dozen or two of updates. It is a stupid concept.
ewarnings have very little hope of being seen this way.
They should always go to emerge.log or some more useful
place.

Likewise, reading changelogs is seldom informative. It usually
says things like "version bump", "moved to stable", and
"fixed bug 34291". I'm not going to start scanning all that
background noise for some important notice involving an ebuild
that breaks all conventions of Gentoo practises.

[j-m]

[tparker]

Changelog is seldom informative because it's not particularly easy to read. When you do 'emerge -uDpvl' on a given package, chances are you would get an extremely long stream of output as there would be several prerequisites and packages that also need updating. For many people they can't even scroll back far enough to read all the output on default terminal settings (though it works fine on OS X) - and even if they could the output itself isn't exactly well formatted and easy to read.

It's all very well to say one should do their research thoroughly before upgrading, but if Linux is ever to become a successful operating system it at least needs to give the users confidence that what they're using isn't effectively just one huge 'beta test' - which is the impression I often get sometimes. I personally use a Mac - you can fiddle with the console for those who want to dig deep, yet you've got a nice GUI for the average user. Gnome/KDE just doesn't come close. But it's not even about that - as with Windows and FreeBSD, for all the deficiencies of Windows (and I do dislike Windows), at the very least it's a co-ordinated development effort. With Linux I can't help but get the feeling that changes are made to certain packages sometimes 'on a whim' by one or two (a small handful in any case) people just because 'they feel like it'.

On the whole, such paranoid security settings should not be implemented out of the blue in the first place - but if it really is necessary, then surely there must be a better way to inform the user. For changes that are known to cause people problems, there should be a clearly visible warning message (and preferably a pause) when such a package is being upgraded. Something that would be noticed even with a basic 'emerge -u package' command.

Right now, i've lost count how many times i've had headaches over suddenly not working daemons on my gentoo servers...

Terence

[TerminalAddict]

one more vote for "this sucks"

[labrador]

[dopey]

[mattman206]

I agree. +1 vote for "this stinks". At least Gentoo has good forums where problems like this can usually be fixed in less than a day.

I run a Gentoo server that has some important, although non-critical, services running like apache, exim, and uw-imapd.

When I update the server it usually goes something like this (right out of the book):

[DarrenM]

What a moronic use of USE flags. Apps should work by default when installed IMO. Having a USE flag for a higher level of security sure, but having to add one just to make it work is ridiculous.

I put this one up there with the classics like "dvd" and "cdparanoia".

[dopey]