84
A good e-mail client for linux?
(feddit.it)
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
I landed on Claws Mail myself. It does look a bit dated, but the UI is functional and the client works. I'm content with it.
At first i thought, wow, cool they're still developing that? Doing a release or two a year, i see.
I used to use it long ago, and was pretty happy with it.
But looking closer now, what is going on with security there?! Sorry to be the bearer of probably bad news, but... 😬
The only three CVEs in their changelog are from 2007, 2010, and 2014, and none are specific to claws.Does that mean they haven't had any exploitable bugs? That seems extremely unlikely for a program written in C with the complexity that being an email client requires.
All of the recent changelog entries which sound like possibly-security-relevant bugs have seven-digit numbers prefixed with "CID", whereas the other bugs have four-digit bug numbers corresponding to entries in their bugzilla.
After a few minutes of searching, I have failed to figure out what "CID" means, or indeed to find any reference to these numbers outside of claws commit messages and release announcements. In any case, from the types of bugs which have these numbers instead of bugzilla entries, it seems to be the designation they are using for security bugs.
The effect of failing to register CVEs and issue security advisories is that downstream distributors of claws (such as the Linux distributions which the project's website recommends installing it from) do not patch these issues.
For instance, claws is included in Debian stable and three currently-supported LTS releases of Ubuntu - which are places where users could be receiving security updates if the project registered CVEs, but are not since they don't.
Even if you get claws from a rolling release distro, or build the latest release yourself, it looks like you'd still be lagging substantially on likely-security-relevant updates: there have actually been numerous commits containing CID numbers in the month since the last release.
If the claws developers happen to read this: thanks for writing free software, but: please update your FAQ to explain these CID numbers, and start issuing security advisories and/or registering CVEs when appropriate so that your distributors will ship security updates to your users!