Using Ubuntu universe packages

Hi,

thanks a lot for creating Mail-in-a-Box. It looks like a promising alternative for my current mailserver setup.

I am concerned about Mail-in-a-Box using packages from Ubuntu universe. The Mail-in-a-Box setup installs a number of packages from Ubuntu’s “universe” repository [1]. According to Ubuntu, the packages from universe are not officially supported and may not receive security updates [2]. In my experience, even if a patch is available from Debian, Ubuntu wants additional testing to be performed by volunteers before applying Debian security updates to Ubuntu universe [3]. Therefore, I am a bit hesitant to use a system which uses a lot of packages from Ubuntu universe. That being said, I am not aware of any unfixed security issues in the universe packages used by Mail-in-a-box. What do you think about this?

Best regards,
Milan

[1] The following command lists packages not from “main” (i.e. universe, multiverse or something else):

for pkg in $(dpkg -l | grep ^ii | awk ‘{print $2}’); do fn="$(apt-cache show $pkg | grep ^Filename | awk ‘{print $2}’)"; echo “$fn” | grep -q /main/ || echo “$pkg”; done

On my Mail-in-a-box installation, 72 universe packages are installed.

[2] Ubuntu documentation: https://help.ubuntu.com/lts/serverguide/configuration.html

[3] https://bugs.launchpad.net/ubuntu/+source/lua-expat/+bug/1382229

Some of them provide core functionality… like python3-pip and dovecot-sqlite. Can’t get rid of those.

Would you consider moving to another distro in the long term because of the missing security updates?

I don’t have time to rebuild this project for another distro.