New release? 🤔

[kloczek]

cyrus-sasl-2.1.28...master shows +250 commits since last release which was +2 years ago.
Do you have any plans to release new version soon? 🤔

[dilyanpalauzov]

Same question at https://cyrus.topicbox.com/groups/devel/T66fe90bb03c0fd20/.

[Neustradamus]

I hope to see a new version before Debian 13 freeze.

[Neustradamus]

Dear @cyrusimap team, @rjbs, @@quanah, @hyc, @ksmurchison, @rsto, @brong, @ksuther, @xfbs, @minichma, @ajaysusarla, @bosim, @tntclaus, @elliefm, @robn, @tintou, @ajacoutot, @dbnicholson, @guimard, @landgraf, @dilyanpalauzov, @gnb, @suiryc, @wolfsage,

It is possible to have the new release build like it was requested several times by people?

• Cyrus SASL
• Cyrus IMAPD

We need improvements and a better security!

Thanks in advance.

[rjbs]

@Neustradamus At-ing every contributor you can think of us a good way to get blocked. Stop it.

[Neustradamus]

@rjbs: Sorry but people wait since 3 years (soon) a new cyrus-sasl with improvements and more security!

• Latest Cyrus-SASL 2.1.28 (2022-02-22)

Detail: I am not the author of this ticket.

In more, for example, some devs wait the new Cyrus-SASL build to add features in Cyrus-IMAPD.

We can cited @GuidoKiener for example with this PR who has done a good job (since 2023-12-16) with this PR and has answered quickly to cyrusimap team and more one year after, it has not been merged yet...

• RFC 9266: Channel Bindings for TLS 1.3 #4191 cyrus-imapd#4772

After Debian 13 (2025) which arrives after Debian 12 (2023), it will be Debian 14 (2027).

Security improvements since 2.1.28 has not price, it is really important.

Note: A lot of projects have already created new release builds recently before Debian 13 freeze.

[tintou]

@Neustradamus Please double check before doing so because I have nothing to do with this project

[mistotebe]

@Neustradamus since you are so keen to help 2.2 released, maybe the way to achieve it is by helping progress the tasks that are assigned to it? Have a look at the list here: https://github.com/cyrusimap/cyrus-sasl/milestone/5

[Neustradamus]

@mistotebe: I think that all which are not ready now, can be reported in another version.

2.2.0 is NOW needed (latest Cyrus-SASL 2.1.28 is very old, 2022-02-22, soon 3 years) before Debian 13 freeze, next Debian will be in 2027 in two years (if no 2.2.0 NOW, 5 years without security improvements? It is not possible! Security is important).

Please look here for example: https://www.bleepingcomputer.com/news/security/over-3-million-mail-servers-without-encryption-exposed-to-sniffing-attacks/

Note: Can you close this one like @GuidoKiener has requested if #823 is merged here:

• RFC 9266: Channel Bindings for TLS 1.3 support #742 (comment)

[Neustradamus]

@mistotebe and @cyrusimap team: Of course, a new Cyrus-IMAPD (2025) must have the new one Cyrus-SASL for security reasons.

[bgermann]

If you think there is an open security issue in Debian testing, please report it via the Debian Bug Tracking System. I do not think you are helping the cause here.

[Neustradamus]

@bgermann: Security changes are in master code :)
It is for this it is needed to create a new build!

@kloczek has published the link here, a lot of changes since 2022-02-22:

• cyrus-sasl-2.1.28...master

[bgermann]

@bgermann: Security changes are in master code :) It is for this it is needed to create a new build!

The thing is, the Debian package is heavily patched and should contain fixes for every publicly known security issue. If there is a specific one missing, please point to that.

[Neustradamus]

Do you know how many commits there are since 2.1.28 (2022-02-22)?

[GuidoKiener]

@Neustradamus since you are so keen to help 2.2 released, maybe the way to achieve it is by helping progress the tasks that are assigned to it? Have a look at the list here: https://github.com/cyrusimap/cyrus-sasl/milestone/5

@mistotebe : I already offered help here: https://cyrus.topicbox.com/groups/sasl/T9e94a007b3b4a95d/cyrus-sasl-2-2-0-release-date.
However I do not know who is the maintainer of this repo and the feedback is really silent.

[mistotebe]

@GuidoKiener, thanks for the offer, I would note that Cyrus SASL had been removed from the Cyrus IMAPD umbrella some time ago and so I think noone here saw it until now. We are tracking the items that we believe are blocking a 2.2.0 release here: https://github.com/cyrusimap/cyrus-sasl/milestone/5, it might be possible to defer some items to 2.2.1 but that would need to be discussed on a case-by-case basis.

If you or any one else want to help with triage, fixing, testing or advice, any of the above is welcome and that's how we get to a release sooner. We used to have a semi-regular call to coordinate but they fizzled out due to lack of participants, that could also be revived...

If you want me to highlight something specific, the build system is unhappy and Quanah hasn't had much luck with it yet: that's #705 and possibly #312

[GuidoKiener]

If you want me to highlight something specific, the build system is unhappy and Quanah hasn't had much luck with it yet: that's #705 and possibly #312

I see. I will try my luck with #705.

[Neustradamus]

Dear all,

Any progress?

It is possible to have the 2.1.19 or 2.2.0 release build?

We wait security improvements since 2.1.18 (2022-02-18), 3 years soon (in one month).

I will not wait 2027 to have in Debian 14, it will be better to have in Debian 13.
Security is very important, we must not wait for it.

Thanks in advance.