Bug 224245 - Merge Review: squirrelmail
Merge Review: squirrelmail
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Tibbitts
Fedora Package Reviews List
: 226432 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2007-01-24 15:25 EST by Warren Togami
Modified: 2014-11-21 13:43 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-02-24 18:26:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
tibbs: fedora‑review+
limburgher: fedora‑cvs+

Attachments (Terms of Use)

  None (edit)
Description Warren Togami 2007-01-24 15:25:05 EST
Requesting review in preparation for the Fedora merge.  This package is in a horrible, horrible mess, with language specific patches (more yet coming...) and a mass encoding change.  Fedora needs some serious help in merging these things upstream, and convincing upstream to handle the l10n encodings in a non-braindead way so we don't have to ship with these horrible ugly hacks.

Anybody want to be co-maintainer of this in F7?


Squirrelmail is a terrible IMAP webmail client that hasn't improved much at all in the past several years, yet we continue to ship it because we were unable to find anything better to repace it that is also simple and self contained. =(
Comment 1 Rex Dieter 2007-01-25 08:19:50 EST
> Squirrelmail is a terrible IMAP webmail client...

that's funny... I've heard very good things about http://www.roundcube.net/
Comment 2 Tomas 2007-01-27 07:21:14 EST
> that's funny... I've heard very good things about http://www.roundcube.net/

1. Licensed under GPL and bundles code incompatible with GPL.

2. implements features that are not implemented in SquirrelMail because they are
unstable and require too many safety checks. Roundcube implementation of output
character set does not include required safety checks.

3. Less stable than SquirrelMail.

4. Spell check depends on external third party API.

5. PHP array based translations. See horror stories of translation maintainers.

6. Heavy dependency on JavaScript.
Comment 3 Gianluca Sforna 2007-01-29 11:45:54 EST
(In reply to comment #1)
> > Squirrelmail is a terrible IMAP webmail client...
> that's funny... I've heard very good things about http://www.roundcube.net/

or ilohamail.org ?

Sticking to the review, since the default config gets login/passwords from the
regular accounts on the machine, whay don't you force SSL on the apache.conf file? 

I am regularly doing that on every new install by adding:

<Location /webmail>
Comment 4 Tomas 2007-01-29 11:50:45 EST
(In reply to comment #3)
> why don't you force SSL on the apache.conf file? 

Bug 183189 - RFE: Ship secure_login plugin by default.
Comment 5 Warren Togami 2007-01-29 11:56:37 EST
> <Location /webmail>
>  SSLRequireSSL
> </Location>

We can't add this because it would break existing users who upgrade their RPM. 
Is this acceptable?

Adding documentation with an example redirect to SSL syntax, and other HOWTO to
enable SSL, would be doable.
Comment 6 Gwyn Ciesla 2007-01-31 11:36:54 EST
Hi, I'm working on packaging roundcube.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225575  Which code is
Comment 7 Gwyn Ciesla 2007-01-31 12:36:43 EST
I found it, I think.  Roundcube ships Googiespell 2.1, which says it's MIT
Licensed, so that's fine.  The current is 3.4, which is GPL.

It also includes code Licensed under PHP License 3.0 and 2.02, which are GPL

Based on
I don't think any of this is a problem.  Has been posted to the roundcube bug.
Comment 8 Ruben Kerkhof 2007-02-03 10:23:56 EST
Changed Summary for the Big Merge
Comment 9 Jima 2007-02-08 13:27:47 EST
*** Bug 226432 has been marked as a duplicate of this bug. ***
Comment 10 Tomas 2007-02-11 02:50:06 EST
(In reply to comment #0)
> Requesting review in preparation for the Fedora merge.  This package is in a
horrible, horrible mess, with language specific patches (more yet coming...) and
a mass encoding change.  Fedora needs some serious help in merging these things
upstream, and convincing upstream to handle the l10n encodings in a
non-braindead way so we don't have to ship with these horrible ugly hacks.

When was the last time you have submitted your SquirrelMail patches to upstream?
I think Fedora SquirrelMail rpm contains several patches that are never
submitted to upstream. And you don't listen when upstream developer warns you
about uninitialized variables in your patches.

You assume that #195639 is specific to Japanese, but same thing happens in
Chinese and Korean. #195639 issue happens only when translation uses euc or gb
or big5 character sets. rawurlencode is needed, if CJK translation is used in utf-8.

You keep CJK translations in their original encodings, because "UTF-8 is
unrealistic". I think you haven't checked SquirrelMail extra decoding library
functions. euc-kr, gb2312 and big5 translations are unrealistic in RedHat,
because SquirrelMail does not support these charsets in encoding functions and
RedHat does not enable PHP extensions (#106755) that allow to implement CJK
encoding functions. If encoding functions are not implemented, you must write
more XTRA_CODE hacks for Chinese and Korean, because without those hacks replies
to gb2312-hz, iso-2022 and utf8 emails are broken in gb2312/big5 Chinese and
euc-kr Korean. UTF-8 is unrealistic only when you want to accept Chinese emails
with mime formating violations.

You ask to push patch to upstream in #209105, when in fact issue is caused by
smart B encoding in some other product. SquirrelMail does not make that type of
encoding decisions in B encoding.

> Squirrelmail is a terrible IMAP webmail client that hasn't improved...

And these words are coming from a person that does not cooperate with upstream
developers and hasn't moved a finger to push Fedora fixes to upstream.


One email about broken patches and one email by other person related to lack of
mbstring support in older redhat packages. Zero emails about #196017, #195639,
#195452, #194457, #194598.
Comment 11 Warren Togami 2007-02-12 20:38:28 EST
Thank you for explaining the source of our problems.  I was not aware of the
existence of the "extra decoding library" until recently.  I do not fully
understand the implications this yet, but I suspect we did things in a stupid
way in an attempt to workaround individual problems.  Additionally, I did not
have the priority or time to investigate deeply into this software.

I have to admit that my opinions about squirrelmail have been negatively colored
over the past years having been forced to add more and more ugly encoding hacks
to our package due to widespread complaints by our users.  Nobody had pointed me
at the "extra decoding library" and instead continued to pile more patches. 
This led me to believe (perhaps improperly) that squirrelmail was not evolving
to modern standards, hence my "terrible" comment.

To be honest, I still have a negative feeling about squirrelmail.  For years now
I've been wanting to remove it from Fedora and ship something else.  But I can
be convinced otherwise, if squirrelmail is capable of being standards compliant,
usable to users, and easy to maintain.

I need help.  I would like to undo the ugly hacks that we have included due to
our lack of understanding, and ship squirrelmail as close to upstream as
possible.  I guess the first step is to remove all the re-encoding stuff, add
the extra decoding library, and see if any of our patches are relevant for upstream.

Would you be interested to co-maintain the squirrelmail package within Fedora? 
We will soon have the ability to grant you commit and build access to the
package so that we can more easily work together in package maintainership.
Comment 12 Tomas 2007-02-13 13:44:33 EST
I have resigned from SquirrelMail development four months ago. Now I maintain
only Lithuanian SquirrelMail translation, plugins that I wrote and my own forked
SquirrelMail version. I don't have write access to SquirrelMail software
repository and can't push your updates.

I can provide patches similar to squirrelmail 1.4.8.utf8-1
and improve decoding functions for better CJK support, but these updates will
contain my copyrights. I won't assign copyrights to some other person or
organization, because I don't know how they will react when copyrights are violated.

I don't think that you will like me as maintainer. I will refuse to make core
code modifications that break MIME rfcs. See "when charset Does not exist" mails
on SquirrelMail devel mailing list. MIME violations are quite common. They will
be visible in interface which uses utf8 and not some default country's character

I strongly recommend talking to SquirrelMail devels and trying to push utf-8
updates to stable SquirrelMail 1.4 version or to some branch from 1.4.x.
SquirrelMail tracker has a bug report which can't be fixed without switching to
single interface character set.

I can help Fedora and SquirrelMail in maintenance of utf-8 SquirrelMail version,
if SquirrelMail developers respect my copyrights and updates are included in
some 1.4.x version. I will refuse to work on code included only in squirrelmail
1.5.x/2.x. SquirrelMail devels won't be able to add exemptions to current GPL
v.2 SquirrelMail license, if SquirrelMail HEAD branch contains my code written
after 2006-10-09.
Comment 13 Warren Togami 2007-06-15 12:57:32 EDT
mbacovsk@redhat.com is the new owner of squirrelmail.
Comment 14 Jason Tibbitts 2008-12-18 22:56:43 EST
Looks like mhlavink@redhat.com owns this package now, so I'll update the CC.  I've been staring at this, the very first merge review, for nearly two years now and would love to see it go away.  I'm not sure if I have what it takes to do a proper review of it, but I can at least look at the current packaging and make some comments.

First off, I wonder how much of the above discussion about Fedora's version being heavily patched is currently true.  I see only four patches applied; one is a one-liner, one is a set of translation changes for, I believe, Turkish, and the other two don't really patch in all that much (under fifteen lines each).  It would indeed be nice to include the upstream status of those patches in accordance with http://fedoraproject.org/wiki/Packaging/Guidelines#All_patches_should_have_an_upstream_bug_link_or_comment but I'm just not seeing how our current version is significantly patched.  Maybe someone did some significant work on things in the last 18 months.  Or maybe the problem is with some of the locale tweaks that happen directly in the specfile.

It would also be nice to clean the patches up a bit, remove the unapplied patches from CVS and get rid of the commented-out bits of the spec where those patches used to be applied.

Here's what current rpmlint has to say about the src.rpm:

  37: E: prereq-use httpd, perl
Prereq: shouldn't be used; something is needed for a scriptlet, it should be
reflected in a fine-grained dependency like Requires(pre).  There are no
scriptlets here, so I think those should be regular runtime dependencies,
specified with Requires:.  Those happen to already be there, so I don't really
see the point in the Prereq: line.

  38: W: unversioned-explicit-provides squirrelmail-i18n
We always want to provide something with a version, because without one it
becomes impossible to ever provide a separate squirrelmail-i18n package.
However, is there anything which might actually depend on squirrelmail-i18n?
Why does it need to be provided by this package?

  217: E: use-of-RPM_SOURCE_DIR
Shouldn't this just refer to %{SOURCE1} instead?

  W: mixed-use-of-spaces-and-tabs (spaces: line 76, tab: line 76)
Nobody cares about this.  Fix it if you like.

and about the built noarch.rpm:

  W: non-standard-uid /var/lib/squirrelmail/prefs apache
  W: non-standard-gid /var/lib/squirrelmail/prefs apache
  E: non-standard-dir-perm /var/lib/squirrelmail/prefs 0700
  W: non-standard-uid /var/spool/squirrelmail/attach apache
  W: non-standard-gid /var/spool/squirrelmail/attach apache
  E: non-standard-dir-perm /var/spool/squirrelmail/attach 0700
  W: non-standard-gid /etc/squirrelmail/config.php apache
  E: non-readable /etc/squirrelmail/config.php 0640
  W: non-standard-gid /etc/squirrelmail/config_local.php apache
  E: non-readable /etc/squirrelmail/config_local.php 0640
  W: non-standard-gid /etc/squirrelmail/default_pref apache
  E: non-readable /etc/squirrelmail/default_pref 0640
  W: non-standard-gid /etc/squirrelmail/sqspell_config.php apache
  E: non-readable /etc/squirrelmail/sqspell_config.php 0640
These are all perfectly OK.

  E: htaccess-file
Generally it's a bad idea to use a .htaccess file in a package; better to put
such things in /etc/httpd/conf.d/squirrelmail.conf so the admin can see all of
the access restrictions in one place.  It's also common to disable htaccess
checks for reasons of speed.

  W: file-not-utf8 /usr/share/doc/squirrelmail-1.4.17/ChangeLog
It would be significantly better if anyone who gets this package would be able
to actually read the names in the ChangeLog, but such things tend to get messy
and bits in various different character sets are often added at different
times.  Fixing it is generally a manual procedure and needs to be coordinated
with upstream (because generally iconv can't fix these problems and carrying a
patch to the ChangeLog is pointless).  I don't think the package review is the
appropriate place to force that to happen.

  W: wrong-file-end-of-line-encoding
  W: wrong-file-end-of-line-encoding
These, however, should be fixed with a couple of quick calls to tr.

  E: zero-length
Why do we ship this?

  W: devel-file-in-non-devel-package
  E: non-executable-script /usr/share/squirrelmail/plugins/demo/getpot 0644
What are these for?  If they're not usable as is, perhaps they should be
removed from the actual squirrelmail installation and packaged as

That's it for rpmlint.  I'll look at the spec later if anyone is listening on the other end of this ticket.
Comment 15 Tomas 2008-12-19 00:05:37 EST
plugins/filters/bulkquery/bulkquery.c can be used to compile program, which used in non-default filters plugin configuration. In current stable it is not useful for packaged SquirrelMail versions, because people have to modify files in /usr/share/squirrelmail/plugins/filters/ in order to enable it.
Comment 16 Jason Tibbitts 2008-12-20 14:57:19 EST
That makes a pretty good case that the bulkquery and demo plugins should not be packaged where they are.  I don't see a problem with moving them to live with the documentation, or with just not packaging them at all.
Comment 17 Tomas 2008-12-20 15:40:11 EST
(In reply to comment #16)
> That makes a pretty good case that the bulkquery and demo plugins should not be
> packaged where they are.

You missed test plugin.
Comment 18 Michal Hlavinka 2008-12-27 06:55:08 EST
I'll look at this soon
Comment 19 Michal Hlavinka 2009-01-20 10:44:23 EST
first round done
rmplint squirrelmail.spec is quiet
rmplint squirrelmail-*-src.rpm is quiet

lot of not used/not useful/obsolete patches removed, some of them are not removed from cvs repository *for now*

rpmlint noarch/squirrelmail-*-noarch.rpm is little less verbose (just a little)

> htaccess-file

moved to squirrelmail.conf

> W: wrong-file-end-of-line-encoding
>   /usr/share/doc/squirrelmail-1.4.17/ReleaseNotes/1.4/Notes-1.4.12.txt
> W: wrong-file-end-of-line-encoding
>   /usr/share/doc/squirrelmail-1.4.17/ReleaseNotes/1.4/Notes-1.4.13.txt

fixed with sed in spec

> E: zero-length
>  /usr/share/squirrelmail/locale/es_ES/LC_MESSAGES/serversidefilter.po.new

removed in spec

>  W: devel-file-in-non-devel-package
>   /usr/share/squirrelmail/plugins/filters/bulkquery/bulkquery.c
>  E: non-executable-script /usr/share/squirrelmail/plugins/demo/getpot 0644

I still haven't decided what to do with these two... (not only demo/getpot but demo/*)

1) move to /usr/share/doc/squirrelmail
2) remove completely
3) move to subpackage


Tomas, if you could explain me (irc?) something about the utf-8 vs. CJK mess, it would be really appreciated. I've got this package with some fixes for CJK and that confuses me... I thought utf-8 should be able to handle it, so I'm little bit confused about all CJK workarounds/patches.
Comment 20 Tomas 2009-01-21 04:48:32 EST
(In reply to comment #19)
> Tomas, if you could explain me (irc?) something about the utf-8 vs. CJK mess,
> it would be really appreciated. I've got this package with some fixes for CJK
> and that confuses me... I thought utf-8 should be able to handle it, so I'm
> little bit confused about all CJK workarounds/patches.

If you need explanation about patches in squirrelmail-1.4.16-1.fc10.src.rpm, see information in bugzilla.

squirrelmail-1.4.6-japanese-multibyte-view-body.patch - RH bug #194457
squirrelmail-1.4.6-japanese-multibyte-view-text.patch - RH bug #195452
squirrelmail-1.4.6-zenkaku-subject-convert.patch - RH bug #196017

All patches written by RH/Fedora and information about them was never submitted to upstream. I can't explain why scripts are modified without seeing broken emails. zenkaku-subject-convert.patch might be needed because according to Wikipedia article on Katakana, hankaku (halfwidth form of katakana) is not supported by ISO-2022-JP.

If you need explanation why SquirrelMail Japanese translation works that way - it was written that way by third party (risumail.jp) contributors in SquirrelMail 1.3-dev branch. In SquirrelMail 1.4.4 and older utf-8 and charset conversion support was very simple and limited to message display. Only SquirrelMail 1.4.5 improved charset handling in compose. I suspect that risumail.jp just wanted to get things working and they did it in their own "works for us, lets ignore other part of the world" way.
Comment 21 Jason Tibbitts 2009-02-21 14:14:44 EST
This package looks quite a bit better now.

Regarding the stuff in the demo directory, I think any of those possibilities would work, although a subpackage is probably overkill.

Regarding the patches, it would be nice to document them somehow (at least adding comments to the spec referring to the above bugzilla tickets) but I'm not really sure it's within the scope of this review to insist that those remaining three patches be reconciled with upstream.  It would certainly be a good idea to work with upstream to somehow make them unnecessary, and of course Fedora is steadfastly against letting more of this kind of thing creep in (see http://fedoraproject.org/wiki/Packaging/Guidelines#All_patches_should_have_an_upstream_bug_link_or_comment,  and http://fedoraproject.org/wiki/PackageMaintainers/WhyUpstream) but I recognize that there is some historical cruft that may not be simple to get rid of.

So really I'd say that if those patches were documented in the spec with links to the above bugzilla tickets, and something is done with the demo directory then I would consider the package OK.  I would still urge further work with upstream and perhaps the previous maintainers of this package to understand the patches and either get them sent upstream or dropped from the package.
Comment 22 Michal Hlavinka 2009-02-23 07:01:38 EST
new package: squirrelmail-1.4.17-2.fc11

* plugins/demo moved to /usr/share/doc/squirrelmail
* bugzila numbers for patches
* new patch for big UIDs and 32b systems - with upstream bugzilla link

I'm sorry for my slow response, but I have a lot of work now and I prefer to fix not working things first. Anyway, thanks for doing this review.

Comment 23 Jason Tibbitts 2009-02-24 18:26:45 EST
I don't think your response has been at all slow, especially compared with the speed of most merge reviews.  (I have some where I haven't been able to get a response for 18 months.)

I'll go ahead and do a full review now.  Honestly the only thing I can add is that that you can drop the versioned dependencies on php and tmpwatch, since the required versions have been present in every release as far back as I can see (FC1, at least).  Not really a big deal.

* source files match upstream.  sha256sum:

* package meets naming and versioning guidelines.
* specfile is properly named, is cleanly written and uses macros consistently.
* dist tag is present.
* build root is OK.
* license field matches the actual license.
* license is open source-compatible.
* license text included in package.
* latest version is being packaged.
* BuildRequires are proper.
* %clean is present.
* package builds in mock (rawhide, x86_64).
* package installs properly.
* rpmlint has acceptable complaints
* final provides and requires are sane:
   config(squirrelmail) = 1.4.17-2.fc11
   squirrelmail = 1.4.17-2.fc11
   config(squirrelmail) = 1.4.17-2.fc11
?  php >= 4.0.4
?  tmpwatch >= 2.8

* owns the directories it creates.
* doesn't own any directories it shouldn't.
* no duplicates in %files.
* file permissions are appropriate.
* no generically named files
* code, not content.
* documentation is small, so no -doc subpackage is necessary.
* %docs are not necessary for the proper functioning of the package.

APPROVED, and closed.  Thanks for your time.
Comment 24 Tomas 2009-02-25 00:03:30 EST
(In reply to comment #23)
> * final provides and requires are sane:
> ?  php >= 4.0.4
>    php-mbstring

mbstring extension was introduced in PHP 4.0.6.

SquirrelMail 1.4.x requires PHP 4.1.0 or better. Code has issues in php 4.0.x (some quirks with used objects) and last PHP 4.0.x compatibility code was removed in 1.4.11.
Comment 25 Michal Hlavinka 2009-02-25 03:31:31 EST
thanks for the review

rawhide, F10, F9 : 2.9.13
RHEL-3,4,5 : 2.8.4, 2.9.1, 2.9.7

rawhide, F10, F9 : 5.2.8
RHEL-3,4,5 : 4.3.2, 4.3.9, 5.1.6

I'll drop versioned dependencies, it seems versions are not needed anymore
Comment 26 Michal Hlavinka 2010-06-09 10:31:26 EDT
Package Change Request
Package Name: squirrelmail
New Branches: EL-6
Owners: mhlavink
Comment 27 Kevin Fenzi 2010-06-11 00:20:45 EDT
cvs done.
Comment 28 Michal Hlavinka 2014-11-21 13:35:15 EST
Package Change Request
Package Name: squirrelmail
New Branches: epel7
Owners: mhlavink
Comment 29 Gwyn Ciesla 2014-11-21 13:43:38 EST
Git done (by process-git-requests).

Note You need to log in before you can comment on or make changes to this bug.