[pkg-go] Comments regarding prometheus-postfix-exporter_0.1.2-1_amd64.changes
Scott Kitterman
ftpmaster at ftp-master.debian.org
Sat Feb 2 07:28:18 GMT 2019
I am concerned that an external package using showq is going to be
problematic. Some excerpts from showq (8):
The showq(8) daemon reports the Postfix mail queue status. The output is
meant to be formatted by the postqueue(1) command, as it emulates the Sendmail
`mailq' command.
SECURITY
The showq(8) daemon can run in a chroot jail at fixed low
privilege, and takes no input from the client. Its service port is accessible
to local untrusted users, so the service can be susceptible to denial of
service attacks.
STANDARDS
None. The showq(8) daemon does not interact with the outside world.
We don't install showq on the system path for a reason.
How does this package make sure it doesn't DOS postfix?
Before we accept/reject this package, I'd appreciate some feedback on the
design. It's not obviously something that is appropriate for Debian.
Scott K
More information about the Pkg-go-maintainers
mailing list