Mailspring #4962
Comments
clintre
added
Package: Addition Request
|
It looks like it was deprecated from our repository with the reason:
|
|
Interesting, I know they have been working with security team to get security up to where it should be. But, would be curious to what the problem was and if it still exists. |
|
Yeah, someone with more knowledge than myself would have to take a look and see what the current situation is. If it is deemed safe, I don't see why it couldn't be re-included. Someone else may have more input. |
|
So I researched this a bit more and found the old security issue from their earlier versions. Which was found and reported by Sonar. They were running on an outdated Electron version and had some open vulnerabilities, and at the time the project's development had slowed down. However, they did patch that and over the last year have really ramped up support and security patches. They have upgraded to the latest version of Electron and have brought on security experts to help on the security side. I have also run the code through static analysis and did not find anything dangerous at this time. That is obviously only a high-level test. |
|
The issue is actually with the mailsync binary they use which is what performs all of the fetching and syncing of mailboxes in the background. It uses absolutely ancient versions of various libraries, and this has not been improved at all since I reported it to them (Foundry376/Mailspring-Sync#9). For instance it uses OpenSSL 1.1.0f which was released in May of 2017. |
|
The security issues Reilly has raised need to be fixed before this can be considered for inclusion. |
Please confirm there isn't an open request for this package
Homepage
https://www.getmailspring.com
Maintainer
Why should this be included in the repository?
This is a solid email application that works better in some cases than Thunderbird due to its ability to handle multiple Exchange accounts, in an easy and direct manner. It brings a clean interface and offers options for users.
There is a third-party Flatpak that is not official. However, despite working with the maintainer, it does not work properly for many account types and is often behind the current version. There is a Snap version as well, but many people like to avoid Snaps on their system. The other official packages are RPM and Deb packages provided by the maintainer.
Are we allowed to redistribute it?
GPL v3
What kind of user will use this package, and how many users do you think will use this package?
Users with multiple email accounts and professional users who need a proper email client for Office 365 and others.
Link to source archive file
https://github.com/Foundry376/Mailspring/archive/refs/tags/1.15.1.tar.gz
The text was updated successfully, but these errors were encountered: