When compiling uw-imap with ssl the ebuild specifically turns on support for clear text passwords in nonsecure transports. For real servers this is not a good thing. I propose using local useflag to allow compiling with relaxed security. This way I can enjoy the uw-imap updates without always first fixing the ebuild to original security level.
Created attachment 52443 [details, diff] "lowsecurity" local flag
net-mail please advise.
I'm all for it, with disabling cleartext passwords usage by default. There's already a suitable local USE flag for this - "clearpasswd" - used by two other packages.
uw-imap-2004c-r3.ebuild is in CVS portage, with added "clearpasswd" USE flag and an ewarn message for users in pkg_setup(). Thanks for suggesting this, it's a good idea. security@, feel free to close this bug, as it's yours.
The clearpasswd notification should only be display if "use ssl" is true. That is the requirement for any sort of secure transport. Otherwise the uw-imap-2004c-r3.ebuild is excellent.
Ah, sorry about that omission. Fixed in CVS now.
The warning for USE="-ssl -clearpassword" case contains a typo. Current..: Either enable "ssl" USE flag, or disable "clearpasswd" USE flag. Should be: Either enable "ssl" or "clearpasswd" USE flag.
Hm, I shouldn't commit after sleep deprivation. Sorry everyone.
I guess this one also affects to vimap, doesn't it? Cheers, Ferdy
Yup, vimap too. Fixed in 2002c-r3.
Arches please test and mark uw-imap-2004c-r3 and vimap-2002c-r3 stable.
Both ebuilds stable on x86.
Stable on ppc.
sparc stable.
uw-imap-2004c-r3 stable on amd64, vimap is all ~amd64 and has not yet had much testing.
Stable on alpha.
Thx everyone. Default Config issue -> closing. hppa please remember to mark stable.
Already stable on hppa