[pkg-go] Comments regarding prometheus-postfix-exporter_0.1.2-1_amd64.changes

Scott Kitterman ftpmaster at ftp-master.debian.org
Sat Feb 2 07:28:18 GMT 2019


I am concerned that an external package using showq is going to be
problematic.  Some excerpts from showq (8):

The showq(8) daemon reports the Postfix mail queue status.  The output is
meant to be formatted by the postqueue(1) command, as it emulates the Sendmail
`mailq' command.

SECURITY
       The  showq(8)  daemon  can  run in a chroot jail at fixed low
privilege, and takes no input from the client. Its service port is accessible
to local untrusted users, so the service can be susceptible to denial of
service attacks.

STANDARDS
       None. The showq(8) daemon does not interact with the outside world.

We don't install showq on the system path for a reason.

How does this package make sure it doesn't DOS postfix?

Before we accept/reject this package, I'd appreciate some feedback on the
design.  It's not obviously something that is appropriate for Debian.

Scott K





More information about the Pkg-go-maintainers mailing list