qmail installs both checkpassword and cmd5checkpw
This may be great for some installs, but they're not needed on others.
The recent GLSA brought this to my attention.
I realize that if I'm not using it, I don't have much to worry about, but still. If it's not needed, I don't want it on my server.
Steps to Reproduce:
1. emerge qmail
A USE flag related to checkpassword and cmd5checkpw would be nice. If that
existed, these packages could be installed, only if needed.
The converse bug to this is the fact that their are multiple checkpassword
implementations. Currently only two are in portage. The default, and
However qmail requires that checkpassword is installed, as mentioned in the
initial report. You should be able to install a different checkpassword.
I would like to add, that you can supply a use-flag named "noauthcram" in newest
qmail ebuilds. If this flag is supplied, cmd5checkpw really should not be installed!
The problem with this is, that if the user decides to enable the corresponding
options in conf-smtpd (cmd5checkpw), things will break. Can this be tollerated?
I obviously would say yes. ;-)
What about a "big fat warning" insde the configfile?
Sounds good. I'll implement this.
Done in CVS. Can you please check wether it's what you meant?
No response in a month, closing.