On 6 Mar 2017, at 9.17, Tom Sommer <mail at tomsommer.dk> wrote:> > > On 2017-02-24 14:34, Timo Sirainen wrote: >> http://dovecot.org/releases/2.2/dovecot-2.2.28.tar.gz >> http://dovecot.org/releases/2.2/dovecot-2.2.28.tar.gz.sig > > Are there any plans to do a bugfix-release, that includes the few issues seen in the mailing-list, or do you consider 2.2.28 safe to upgrade to?I don't see anything critical. A couple of bugs that might or might not affect you. We'll have 2.2.29 soon enough, so no plans for other releases before that.
On 03/06/2017 11:30 PM, Timo Sirainen wrote:> On 6 Mar 2017, at 9.17, Tom Sommer <mail at tomsommer.dk> wrote: >> >> On 2017-02-24 14:34, Timo Sirainen wrote: >>> http://dovecot.org/releases/2.2/dovecot-2.2.28.tar.gz >>> http://dovecot.org/releases/2.2/dovecot-2.2.28.tar.gz.sig >> Are there any plans to do a bugfix-release, that includes the few issues seen in the mailing-list, or do you consider 2.2.28 safe to upgrade to? > I don't see anything critical. A couple of bugs that might or might not affect you. We'll have 2.2.29 soon enough, so no plans for other releases before that.Truncating passwords with dict protocol* seems quite critical to me. :-O Or is it just me, who's affected by that? *: http://dovecot.org/list/dovecot/2017-February/107265.html
On 07.03.2017 10:52, Nagy, Attila wrote:> On 03/06/2017 11:30 PM, Timo Sirainen wrote: >> On 6 Mar 2017, at 9.17, Tom Sommer <mail at tomsommer.dk> wrote: >>> >>> On 2017-02-24 14:34, Timo Sirainen wrote: >>>> http://dovecot.org/releases/2.2/dovecot-2.2.28.tar.gz >>>> http://dovecot.org/releases/2.2/dovecot-2.2.28.tar.gz.sig >>> Are there any plans to do a bugfix-release, that includes the few >>> issues seen in the mailing-list, or do you consider 2.2.28 safe to >>> upgrade to? >> I don't see anything critical. A couple of bugs that might or might >> not affect you. We'll have 2.2.29 soon enough, so no plans for other >> releases before that. > Truncating passwords with dict protocol* seems quite critical to me. :-O > Or is it just me, who's affected by that? > > *: http://dovecot.org/list/dovecot/2017-February/107265.htmlHi! The password is not actually truncated, it's actually subjected to var_expand, which is silly. We are working on a patch for this and let y'all know when it's ready. The only truncation happens with % as last character. Aki
On 3/6/17 2:30 PM, Timo Sirainen wrote:> I don't see anything critical. A couple of bugs that might or might > not affect you. We'll have 2.2.29 soon enough, so no plans for other > releases before that.As a comment: When trying to choose which version of Dovecot to use in production, I've found it difficult that minor point releases add new features and make other changes, as well as purely fixing bugs. It's a challenge to find a Dovecot version that fixes known issues without introducing other (possibly problematic) changes. As a result, I end up using what seems to be a mostly stable version, plus "extra patches I grabbed from reading the mailing list". I'm grateful for all the effort put into the code, but for me, at least, it would be easier to work with if new features and changes were only in new versions like 2.3, with 2.2.x only fixing bugs. (And when 2.3 is stable, new features would be in 2.4, with 2.3.x just fixing bugs, and so on.) This is the model used in Postfix development, for example, and I find it easier to work with in terms of finding a known stable version. But again, this could be just me, and I apologize if this has already been suggested and found inappropriate. As I said, I definitely appreciate that the code is constantly being improved. -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/