On Thu, Apr 04, 2024 at 08:34:28PM +0200, Jörg-Volker Peetz wrote: > in light of the recent xz security breach, I'd like to ask if it > would be possible to rework systemd readiness notification and socket > activation patches to not link against libsystemd as just achieved for > the openssh-server package in version 1:9.7p1-4 ? > This would avoid /usr/bin/dovecot being linked also to three compression > libraries (liblz4, liblzma, libzstd) and to libgpg-error.
Yes, I believe this is reasonable. I believe the systemd upstream maintainers have just released an updated MIT-0 licensed example of the socket activation patches that avoids requiring libsystemd0. I'll see about adapting this patch to dovecot. noah
