[Pkg-roundcube-maintainers] Bug#960302: Bug#960302: imap retry must be tunable

Guilhem Mullion guilhem at debian.org
Sat May 23 02:57:26 BST 2020


Control: severity -1 important

Hi Sandro,

On Mon, 11 May 2020 at 18:34:06 +0200, Matus UHLAR - fantomas wrote:
> the imap retry patch added within bug 947320 locks my accounts when I enter
> invalid password.

Could you please have a look at this regression report?  You authored
the patch and my PHP-fu is failing me :-P  It should definitely not
retry the very same incorrect credentials.  Even on systems without
anti-bruteforce logic that locks the user out, Roundcube still takes 5
times longer to complain a about a failed login — which is not
negligible when an expensive PBKDF is used for credential verification.

I think it's rather unfortunate that debian/patches/retry_to_reach_imap_server.patch
was AFAICT never submitted upstream and landed into stable through -p-u.
I dunno whether program/lib/Roundcube/rcube_imap.php:connect() has
access to the IMAP state machine to determine whether a greeting was
seen (AFAICT your intention was to retry on missing greeting lines, not
on NO/BYE greeting conditions let alone failed authentication attempts)
or to another interface returning whether the error is transient or not.
Either way it'd be good to have upstream's blessing before adopting such
patches to Debian :-)

Thanks!
cheers
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200523/b33db672/attachment.sig>


More information about the Pkg-roundcube-maintainers mailing list