# uw-imap problems with latest emerge 2004c-r3

## Paul Forgey

Just just emerged the latest uw-imapd 2004c-r3 a few minutes ago.  It no longer logs users in unless the connection is over ssl.  When failing the authentication, it logs "account disabled".  It does this for _all_ accounts which are able to authenticate just fine for other services including telnet, ftp and ssh.  Again, imap ssl connections work.

How do I either fix this or back out of the latest update?

----------

## wokan

I'm experiencing the same difficulties.  Originally I didn't think it was imap causing the problem as only my wife was having difficulty getting her email.  I was using it just fine from work, but at work I access my home imap via SSL.

----------

## Paul Forgey

 *wokan wrote:*   

> I'm experiencing the same difficulties.  Originally I didn't think it was imap causing the problem as only my wife was having difficulty getting her email.  I was using it just fine from work, but at work I access my home imap via SSL.

 

That's exactly how I found the problem too!  My wife called me from work.  Since I use SSL on my laptop to my imap server from work, it took me a little while to catch on to what was going on.

Found it: re-emerge with clearpasswd in USE.

----------

## j-m

 *Quote:*   

> 
> 
> 03 Mar 2005; Andrej Kacian <ticho@gentoo.org> uw-imap-2004c-r1.ebuild,
> 
>   +uw-imap-2004c-r3.ebuild:
> ...

 

 :Idea: 

----------

## andyjeffries

 *j-m wrote:*   

>  *Quote:*   
> 
> 03 Mar 2005; Andrej Kacian <ticho@gentoo.org> uw-imap-2004c-r1.ebuild,
> 
>   +uw-imap-2004c-r3.ebuild:
> ...

 

What a twatty change!!!  I'm sorry and I know it's a better idea, but you can't make a change like that that breaks current installations!

I'm really glad I'm using Gentoo on servers now!!!

 :Sad: 

----------

## j-m

Always read the Changelog before ugprading server packages... At least do

```

emerge -aDpvl [package_name]

```

 *Quote:*   

> 
> 
> --changelog (-l)
> 
>               Use this in conjunction with the --pretend action.  This will show the ChangeLog entries for  all  the  packages
> ...

 

----------

## andyjeffries

 *j-m wrote:*   

> Always read the Changelog before ugprading server packages... At least do
> 
> ```
> 
> emerge -aDpvl [package_name]
> ...

 

I still disagree with making a change like that to a package that's working.  I guess something like a new use flag of "clearonlyssl" would be better.

Am I the only one that feels there is something inherently wrong in making a change to a long standing package like this that breaks current functionality?

Cheers,

Andy

----------

## j-m

OK, so disagree. Otherwise, "clearonlyssl" makes no sense. You would have no problems if you read the changelog before upgrading.

----------

## GamesBond

I don't agree, this just breaks stuff that has been working before.

At *least* the ebuild should have paused and have given a prompt to continue with a warning

This sucks

----------

## j-m

 *GamesBond wrote:*   

> I don't agree, this just breaks stuff that has been working before.
> 
> At *least* the ebuild should have paused and have given a prompt to continue with a warning
> 
> This sucks

 

It does:

```

pkg_setup() {

        echo

        if use clearpasswd; then

                ewarn "Building uw-imap with cleartext LOGIN allowed. Disable \"clearpasswd\" USE"

                ewarn "flag to restrict cleartext LOGIN to SSL/TLS sessions only."

        else

                if use ssl; then

                        ewarn "Building uw-imap with cleartext LOGIN restricted to SSL/TLS sessions only."

                        ewarn "Enable \"clearpasswd\" flag to allow unrestricted cleartext LOGIN."

                else

                        ewarn "You have disabled SSL for uw-imap, but want cleartext passwords restricted to"

                        ewarn "SSL/TLS sessions only. Either enable \"ssl\" USE flag, or \"clearpasswd\""

                        ewarn "USE flag."

                        die "Impossible USE flag combination, see above message"

                fi

        fi

```

----------

## ticho

All I can say to this, is that those who blindly update production services deserve what they get. When upgrading a package, one really should have a look at what exactly is new, and decide to upgrade or not to upgrade. Gentoo even provides you with convenient ways to ignore a certain upgrade (package.mask).

Another thing - ewarn/einfo messages are meant to be read by the admin, and that's *YOU*.

----------

## tparker

uw-imap isn't the only example of something suddenly 'broken' due to an upgrade - I frequently have problems with suidperl, and also other packages (which ones evade me at this minute). Yes, I agree that the changelog is there for a reason and should be read - except a further problem exists where certain packages (such as perl) are often automatically upgraded as a dependency to something else. It is very time consuming / troublesome each time to check through a whole list of dependencies just to upgrade one package - especially when half the time updates are only revision updates. (I often wonder how much electricity worldwide is wasted on re-compilation of packages en-masse by Gentoo systems).

I think a better way of securing a package would not be to change a mechanism over night, but to keep things as they are but supporting a USE flag that would compile a more secure version. Right now it's the other way round - users are forced to use the secure version unless they specify otherwise.

BTW , "emerge -aDpvl uw-imap" doesn't show me any change log. All I get is:

 *Quote:*   

> These are the packages that I would merge, in order:
> 
> Calculating dependencies ...done!
> 
> [ebuild   R   ] net-mail/uw-imap-2004c-r3  -clearpasswd -debug +ipv6 -kerberos -pic +ssl 0 kB

 

Terence

----------

## langthang

 *tparker wrote:*   

> BTW , "emerge -aDpvl uw-imap" doesn't show me any change log.

 

because you already *upgraded*

```
These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild R ] net-mail/uw-imap-2004c-r3 -clearpasswd -debug +ipv6 -kerberos -pic +ssl 0 kB
```

from `man emerge`

```
       --changelog (-l)

              Use this in conjunction with the --pretend  action.   This  will

              show  the  ChangeLog  entries  for all the packages that will be

              upgraded.
```

----------

## j-m

 *tparker wrote:*   

> It is very time consuming / troublesome each time to check through a whole list of dependencies just to upgrade one package - especially when half the time updates are only revision updates. (I often wonder how much electricity worldwide is wasted on re-compilation of packages en-masse by Gentoo systems).
> 
> 

 

Have you already heard about revdep-rebuild and perl-cleaner?  :Idea: 

----------

## labrador

Can anyone name one other service where the default level of

security must be set through a USE variable?

If you want to build a tighter box by default, you set it up in a config file.

Disable imap by default and add a comment encouraging secure.

You should never require recompiling to achieve a security setting

There are many of us that don't need arm twisting to make tighter

security as it just doesn't apply.  In my home LAN, I am not

concerned with someone picking up passwords over the one hop

between client and IMAP server.  It just isn't going to happen.

I should be able to use as many clear text authentication

services as I feel like, without being forced to jump through

hoops like this that have no precedent.

As for watching emerge builds for ewarnings, this continues to

be a joke.  No one watches this for the hours it sometimes

takes to build a dozen or two of updates.  It is a stupid concept.

ewarnings have very little hope of being seen this way.

They should always go to emerge.log or some more useful

place.

Likewise, reading changelogs is seldom informative.  It usually

says things like "version bump", "moved to stable", and

"fixed bug 34291".  I'm not going to start scanning all that

background noise for some important notice involving an ebuild

that breaks all conventions of Gentoo practises.

----------

## j-m

 *labrador wrote:*   

> 
> 
> As for watching emerge builds for ewarnings, this continues to
> 
> be a joke.  No one watches this for the hours it sometimes
> ...

 

You don´t have to watch for hours... See http://dev.gentoo.org/~eldad/  :Idea: 

Also, I don´t see why reading changelog is seldom informative. It points you to the bugs where you can find out more... If you don´t care to go and find there, then don´t complain.

----------

## tparker

Changelog is seldom informative because it's not particularly easy to read. When you do 'emerge -uDpvl' on a given package, chances are you would get an extremely long stream of output as there would be several prerequisites and packages that also need updating. For many people they can't even scroll back far enough to read all the output on default terminal settings (though it works fine on OS X) - and even if they could the output itself isn't exactly well formatted and easy to read.

It's all very well to say one should do their research thoroughly before upgrading, but if Linux is ever to become a successful operating system it at least needs to give the users confidence that what they're using isn't effectively just one huge 'beta test' - which is the impression I often get sometimes. I personally use a Mac - you can fiddle with the console for those who want to dig deep, yet you've got a nice GUI for the average user. Gnome/KDE just doesn't come close. But it's not even about that - as with Windows and FreeBSD, for all the deficiencies of Windows (and I do dislike Windows), at the very least it's a co-ordinated development effort. With Linux I can't help but get the feeling that changes are made to certain packages sometimes 'on a whim' by one or two (a small handful in any case) people just because 'they feel like it'.

On the whole, such paranoid security settings should not be implemented out of the blue in the first place - but if it really is necessary, then surely there must be a better way to inform the user. For changes that are known to cause people problems, there should be a clearly visible warning message (and preferably a pause) when such a package is being upgraded. Something that would be noticed even with a basic 'emerge -u package' command.

Right now, i've lost count how many times i've had headaches over suddenly not working daemons on my gentoo servers... 

TerenceLast edited by tparker on Mon Mar 07, 2005 12:32 pm; edited 1 time in total

----------

## TerminalAddict

one more vote for "this sucks"

----------

## labrador

 *Quote:*   

> You don´t have to watch for hours... See http://dev.gentoo.org/~eldad/ Idea
> 
> Also, I don´t see why reading changelog is seldom informative. It points you to the bugs where you can find out more... If you don´t care to go and find there, then don´t complain.

 

enotice sounds great, but I'll wait until it becomes part of the OS.

I want something that is maintained, not a one-off that might become

obsolete or break more things.  In other words, I should not have to

hack up a solution to something basic that everyone should be using

just as I don't have to hack emerge to run env-update and other things

at the end of an emerge build.

As for changelogs, there is often, too often, little information on why a new

release is made.  I've given up looking there when I do my maintenance

as it only makes me frustrated to have spent the energy.  It isn't always

associated with a bug report.  This time it was, yes, but many other times

I've learned critical stuff by reading the GWN or by searching the forums.

This is what many Gentoo developers don't seem to understand.  If you want to

see Gentoo boxes installed by the dozens in server rooms, you can't expect

sysadmins to go through the same efforts that you do in maintaining your

couple of dev machines.

----------

## dopey

 *ticho wrote:*   

> All I can say to this, is that those who blindly update production services deserve what they get. When upgrading a package, one really should have a look at what exactly is new, and decide to upgrade or not to upgrade. Gentoo even provides you with convenient ways to ignore a certain upgrade (package.mask).
> 
> Another thing - ewarn/einfo messages are meant to be read by the admin, and that's *YOU*.

 

I agree that those who blindly update production servers deserve what they get.  Additionally, I firmly believe gentoo is absolutely useless in a production server environment.  Don't get me wrong, I love gentoo and think it's the best option I have as an enthusiast's and developer's operating system, but if you're thinking people should check every package that gets updated to determine why and if it's worth applying then gentoo is never ever going to make it in a production server environment.  I run a server at work that's gentoo based.  My use flags are extremely minimal.  Even then, I update daily so I know what's going on.  In a real production server environment, who's going to update daily?  You're lucky to get weekly updates, monthly to quarterly are far far far more common.  Have you ever seen how many packages get updated on a monthly basis (even with minimal USE flags)?  Do you know how much time it'd take to go through every one of those packages, find out that the ChangeLogs are absolutely useless, and then have to read each ebuild and check the patches to see what was changed?  It won't happen.

The goal of an OS/distribution in terms of production servers should be to make things EASIER to maintain, not harder and more time consuming. 

Also, ewarn/einfo messages really useful when they scroll away.  Yes, there are things an admin could do to take care of this, but once again this fits into the realm of, Gentoo should do it better.

Someone reported this nearly 2 1/2 years ago:

https://bugs.gentoo.org/show_bug.cgi?id=11359

And we still don't have this feature.  IMO, this is a sign that Gentoo isn't anywhere NEAR ready for production server environments.

FYI, I have run production server environments in the past, I am currently a software developer for the architecture team of an enterprise level application (intended for deployment in enterprise production environments).  I am familiar with what it takes to run a production server, and I also am familiar with the time availability many sysadmins have, and the lack of necessary skills amongst junior production sysadmins, and gentoo is seriously lacking.  (On the other hand, as I said, I do run Gentoo in a "psuedo-production" environment).

Enough of my ranting, +1 vote for this sucks and Gentoo really needs a better way of announcing major changes like this.

----------

## mattman206

I agree.  +1 vote for "this stinks".  At least Gentoo has good forums where problems like this can usually be fixed in less than a day. :Shocked: 

I run a Gentoo server that has some important, although non-critical, services running like apache, exim, and uw-imapd.

When I update the server it usually goes something like this (right out of the book):

```

# emerge sync

# emerge -pv -u world

* shows list of packages that need updated, including uw-imap *

# emerge -u world

```

This last update stopped after the 2nd ebuild because of the mailbase-0.00-r8 problem that required manual moving of some /etc/pam.d/ files.  But once I fixed that (like the error messages instructed) everything emerged without a hitch (so I thought.)

After I ran etc-update, I noticed that IMAP just stopped working.  Originally I noticed that Squirrelmail wouldn't authenticate me, and had to get out telnet to port 143 and figure out why.

Nowhere was there an error message that the uw-imap package would be changing default functionality.  I see a few posts that say to look at the changelog for each package.  Unfortunately, this is simply not do-able.  There were 30+ packages that needed updated, and sifting through the changelogs for each one would have taken hours. 

There has to be a better way to do this.  Perhaps a warning for USE flags that change the default operation of a package would do the trick?  I don't know -- just throwing it out for discussion.

----------

## DarrenM

What a moronic use of USE flags. Apps should work by default when installed IMO. Having a USE flag for a higher level of security sure, but having to add one just to make it work is ridiculous.

I put this one up there with the classics like "dvd" and "cdparanoia".

----------

## dopey

 *DarrenM wrote:*   

> What a moronic use of USE flags. Apps should work by default when installed IMO. Having a USE flag for a higher level of security sure, but having to add one just to make it work is ridiculous.
> 
> I put this one up there with the classics like "dvd" and "cdparanoia".

 

USE flags have definitely deviated from just specifying dependency information.  Makes for confusion.  I can understand the extra security desires, but in this case, crippling something for security sake is silly.  Anyone who's trying to run an imap server SHOULD be capable of understand the security ramifications.  If they can't, then well, they deserve to be bit.

 *mattman206 wrote:*   

> Nowhere was there an error message that the uw-imap package would be changing default functionality. I see a few posts that say to look at the changelog for each package. Unfortunately, this is simply not do-able. There were 30+ packages that needed updated, and sifting through the changelogs for each one would have taken hours.

 

To defend the gentoo guys, there was an ewarn in the ebuild noting this.   My biggest gripe is how horribly gentoo actually handles ewarn messages.

----------

