[prev in list] [next in list] [prev in thread] [next in thread] 

List:       imap
Subject:    re: What version to use? 2000c or 2001a?
From:       Mark Crispin <MRC () CAC ! Washington ! EDU>
Date:       2001-10-31 23:13:31
[Download RAW message or body]

On Wed, 31 Oct 2001 22:03:00 GMT, Matt Baran wrote:
> We're still using a pre-2000a version of imapd and are looking at upgrading.

You should have upgraded a long time ago.  There have been three releases
(2000b, 2000c, and 2001) since 2000a.  Running a "pre-2000a version" is even
worse.

You are vulnerable (and have just publicly announced that vulnerability) to
any script kiddie who has an exploit for your old version.  I'm not saying
that there is an exploit for your old version; I don't confirm or deny.

Nevertheless, when I say that the recommended version is the version on:
	ftp://ftp.cac.washington.edu/mail/imap.tar.Z
and do not recommend any older versions, I say so for a reason.

Rumor to the contrary notwithstanding, I do not release updates out of a
sadistic desire to put people to work in upgrading and testing.  There is a
good reason behind every update.  The Internet is a very hostile place these
days.  It is no longer viable to defer upgrades.

The upgrade make fix a root-compromise security bug.  It may fix a more minor
security bug.  It may fix a denial-of-service problem, or interoperate better
with the latest version of Picosoft BlurdybloopMail that all the incoming
freshmen have on their combination VCR/Microwave/robot-pets.

One way or other, upgrades fix known problems.  The longer that you defer an
upgrade, the greater the risk to your site and the more traumatic the upgrade
will be.

You don't need to try development snapshots if the imap.tar.Z doesn't point to
them.  But you should try release candidates.  If the imap.tar.Z points to a
development snapshot, that indicates knowledge of a critical bug in the last
release version that forced its retirement.

> I notice that the current version is still listed as a release candidate and
> some of the more conservative factions here are leery about making the move
> to that version without knowing more about it.

That type of conservatism is a direct cause of release versions having bugs.

If you do not try the release candidate, you practically guarantee that you
will have problems with the release version.  By the time something becomes a
"release candidate", the only things that get changed are in response to
reports by people who tried the release candidate.

> The latest release notes I have found are a year old and for 2000a, is there
> a place to find changes/updates in the newest version, or a compelling
> reason to use it beside the somewhat vague answer of "bugfixes" ?

The release notes in the current release candidate are much newer than "a year
old".

[prev in list] [next in list] [prev in thread] [next in thread]