<p dir="ltr"><br>
On Oct 29, 2014 11:33 AM, "Miloslav Trmač" <<a href="mailto:mitr@redhat.com">mitr@redhat.com</a>> wrote:<br>
><br>
> ----- Original Message -----<br>
> > I created a new bug [1] that explains that ssmtp is sending all cron<br>
> > jobs output to an external SMTP server. I marked it as a security bug,<br>
> > the security tag was removed and it was recommend to make it public,<br>
> > something I can't do. I will resume the problem here, because there are<br>
> > comments that says that it isn't a security bug, I disagree:<br>
> ><br>
> > 1- Fedora 20 shipped with the feature of not running a SMTP server by<br>
> > default, I was fine with it because I don't need to send emails or<br>
> > receive emails locally using it.<br>
> ><br>
> > 2- an update pulled ssmtp<br>
> ><br>
> > Apr 20 19:06:14 Installed: ssmtp-2.64-11.fc20.x86_64<br>
> > Apr 20 19:06:15 Updated: 1:smartmontools-6.2-5.fc20.x86_64<br>
> ><br>
> > 3- ssmtp is configured by default to send emails to a host named mail<br>
> ><br>
> > 4- If a cron jobs runs the email is sent to mail.[your.domain] without<br>
> > you ever configuring that.<br>
><br>
> This is certainly not a reasonable default configuration for Fedora.<br>
><br>
> While I think that it is not a reasonable default configuration for ssmtp at all, I could be persuaded otherwise; but in that case, it should never be installed by _anything_ that isn’t an explicit user’s choice (i.e. no dependencies direct or indirect, no comps group presence, and ideally/overzealously? an automated test that makes installing ssmtp in a default product configuration a release blocker).</p>
<p dir="ltr">Given that PackageKit can install things with minimal authentication, this seems fragile.</p>
<p dir="ltr">Why not change cron's default config instead?</p>
<p dir="ltr">--Andy</p>
<p dir="ltr">> Mirek<br>
> --<br>
> devel mailing list<br>
> <a href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/devel">https://admin.fedoraproject.org/mailman/listinfo/devel</a><br>
> Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct">http://fedoraproject.org/code-of-conduct</a></p>