Mercurial > docs > diploma
comparison thesis/tex/4-MasqmailsFuture.tex @ 318:426ad56236ce
small fixes and todo -> fixme
| author | meillo@marmaro.de |
|---|---|
| date | Wed, 21 Jan 2009 20:35:26 +0100 |
| parents | 3b7680af0ebe |
| children | 82496704f747 |
comparison
equal
deleted
inserted
replaced
| 317:3b7680af0ebe | 318:426ad56236ce |
|---|---|
| 42 \SMTP\ is the primary mail transport protocol today, but with the increasing need for new protocols (see section \ref{sec:what-will-be-important}) in mind, support for more than just \SMTP\ is good to have. New protocols will show up, maybe multiple protocols need to be supported then. This leads to multiple remote channels, one for each supported protocol as it was done in other \MTA{}s. Best would be interfaces to add further protocols as modules. | 42 \SMTP\ is the primary mail transport protocol today, but with the increasing need for new protocols (see section \ref{sec:what-will-be-important}) in mind, support for more than just \SMTP\ is good to have. New protocols will show up, maybe multiple protocols need to be supported then. This leads to multiple remote channels, one for each supported protocol as it was done in other \MTA{}s. Best would be interfaces to add further protocols as modules. |
| 43 | 43 |
| 44 | 44 |
| 45 Outgoing mail is commonly either sent using \SMTP, piped into local commands (for example \path{uucp}), or delivered locally by appending to a mailbox. Outgoing channels are similar for \qmail, \postfix, and \name{sendmail X}: All of them have a module to send mail using \SMTP, and one for writing into a local mailbox. | 45 Outgoing mail is commonly either sent using \SMTP, piped into local commands (for example \path{uucp}), or delivered locally by appending to a mailbox. Outgoing channels are similar for \qmail, \postfix, and \name{sendmail X}: All of them have a module to send mail using \SMTP, and one for writing into a local mailbox. |
| 46 | 46 |
| 47 %todo: is the def of MTA: transfer between machines, or transfer between users? | 47 %fixme: is the def of MTA: transfer between machines, or transfer between users? |
| 48 Local mail delivery is a job that uses root privilege to be able to switch to any user in order to write to his mailbox. It is possible to deliver without being root privilege, but delivery to user's home folders is not generally possible then. Thus even the modular \MTA{}s \qmail\ and \postfix\ use root privilege for it. As mail delivery to local users is \emph{not} included in the basic job of an \MTA{} and introduces a lot of new complexity, why should the \MTA\ bother? In order to keep the system simple, reduce privilege, and to have programs that do one job well, the local delivery job should be handed over to a specialist: the \NAME{MDA}. \NAME{MDA}s know about the various mailbox formats and are aware of the problems of concurrent write access and the like. Hence passing the message, and the responsibility for it, over to an \NAME{MDA} seems to be best. | 48 Local mail delivery is a job that uses root privilege to be able to switch to any user in order to write to his mailbox. It is possible to deliver without being root privilege, but delivery to user's home folders is not generally possible then. Thus even the modular \MTA{}s \qmail\ and \postfix\ use root privilege for it. As mail delivery to local users is \emph{not} included in the basic job of an \MTA{} and introduces a lot of new complexity, why should the \MTA\ bother? In order to keep the system simple, reduce privilege, and to have programs that do one job well, the local delivery job should be handed over to a specialist: the \NAME{MDA}. \NAME{MDA}s know about the various mailbox formats and are aware of the problems of concurrent write access and the like. Hence passing the message, and the responsibility for it, over to an \NAME{MDA} seems to be best. |
| 49 | 49 |
| 50 This means an outgoing connection that pipes mail into local commands is required. To other outgoing channels applies what was already said about incoming channels. | 50 This means an outgoing connection that pipes mail into local commands is required. To other outgoing channels applies what was already said about incoming channels. |
| 51 | 51 |
| 52 \begin{figure} | 52 \begin{figure} |
| 227 | 227 |
| 228 | 228 |
| 229 \subsection{Architecture} | 229 \subsection{Architecture} |
| 230 \label{sec:discussion-mta-arch} | 230 \label{sec:discussion-mta-arch} |
| 231 | 231 |
| 232 %todo: what's this section to do with requirements? | 232 %fixme: what's this section to do with requirements? |
| 233 | 233 |
| 234 \masqmail's current architecture is monolithic like \sendmail's and \exim's. But more than the other two, is it one block of interweaved code. \exim\ has a highly structured code with many internal interfaces, a good example is the one for authentication ``modules''. %fixme: add ref | 234 \masqmail's current architecture is monolithic like \sendmail's and \exim's. But more than the other two, is it one block of interweaved code. \exim\ has a highly structured code with many internal interfaces, a good example is the one for authentication ``modules''. %fixme: add ref |
| 235 \sendmail\ provides now, with its \name{milter} interface, standardized connection channels to external modules. | 235 \sendmail\ provides now, with its \name{milter} interface, standardized connection channels to external modules. |
| 236 \masqmail\ has none of them; it is what \sendmail\ was in the beginning: a single large block. | 236 \masqmail\ has none of them; it is what \sendmail\ was in the beginning: a single large block. |
| 237 | 237 |
| 333 In summary: Current reliability needs to be improved. | 333 In summary: Current reliability needs to be improved. |
| 334 %fixme: state machine | 334 %fixme: state machine |
| 335 | 335 |
| 336 \paragraph{\RG3: Robustness} | 336 \paragraph{\RG3: Robustness} |
| 337 The logging behavior of \masqmail\ is good, although it does not cover all problem situations. For example, if the queue directory is world writeable by accident (or as action of an intruder), any user can remove messages from the queue or replace them with own ones. \masqmail\ does not even write a debug message in this case. The origin of this problem, however, is \masqmail's trust in its environment. | 337 The logging behavior of \masqmail\ is good, although it does not cover all problem situations. For example, if the queue directory is world writeable by accident (or as action of an intruder), any user can remove messages from the queue or replace them with own ones. \masqmail\ does not even write a debug message in this case. The origin of this problem, however, is \masqmail's trust in its environment. |
| 338 %todo: rule of robustness, rule of repair | 338 %fixme: rule of robustness, rule of repair |
| 339 | 339 |
| 340 \paragraph{\RG4: Extendability} | 340 \paragraph{\RG4: Extendability} |
| 341 \masqmail's extendability is very poor. This is a general problem of monolithic software, but can thus be provided with high effort. \exim\ is an example for good extendability in a monolithic program. | 341 \masqmail's extendability is very poor. This is a general problem of monolithic software, but can thus be provided with high effort. \exim\ is an example for good extendability in a monolithic program. |
| 342 | 342 |
| 343 \paragraph{\RG5: Maintainability} | 343 \paragraph{\RG5: Maintainability} |
| 546 | 546 |
| 547 \subsubsection*{A guard against dead ends} | 547 \subsubsection*{A guard against dead ends} |
| 548 | 548 |
| 549 A new design does protect against such dead ends. | 549 A new design does protect against such dead ends. |
| 550 | 550 |
| 551 Changing requirements are one possible dead end if the software does not evolve with them. A famous example is \sendmail, which had an almost monopoly for a long time. But when security became important \sendmail\ was only repaired instead of removing the problem sources---its insecure design. Thus security problems reappeared and over the years \sendmail's market share shrank as more secure \MTA{}s became available. %fixme: declined ?? | 551 Changing requirements are one possible dead end if the software does not evolve with them. A famous example is \sendmail, which had an almost monopoly for a long time. But when security became important \sendmail\ was only repaired instead of removing the problem sources---its insecure design. Thus security problems reappeared and over the years \sendmail's market share shrank as more secure \MTA{}s became available. \sendmail's reaction to the new requirements, in form of \name{sendmail X} and \name{MeTA1}, came much to late---the users already switched to other \MTA{}s. Redesigning a software as requirements change helps keeping it alive. % fixme: add quote: ``one thing surely remains: change'' (something like that) |
| 552 \sendmail's reaction to the new requirements, in form of \name{sendmail X} and \name{MeTA1}, came much to late---the users already switched to other \MTA{}s. Redesigning a software as requirements change helps keeping it alive. % add quote: ``one thing surely remains: change'' (something like that) | |
| 553 | 552 |
| 554 Another danger is the dead end of complexity which is likely to appear by constantly working on the same code base. It is even more likely if the code base has a monolithic architecture. A good example for simplicity is \qmail\ which consists of small independent modules, each with only about one thousand lines of code. %fixme: proof | 553 Another danger is the dead end of complexity which is likely to appear by constantly working on the same code base. It is even more likely if the code base has a monolithic architecture. A good example for simplicity is \qmail\ which consists of small independent modules, each with only about one thousand lines of code. %fixme: proof |
| 555 Such simple code makes it obvious to understand what it does. The \name{suckless} project \citeweb{suckless.org} for example advertises such a philosophy of small and simple software by following the thoughts of the \unix\ inventors \cite{kernighan84} \cite{kernighan99}. Simple, small, and clear code avoids complexity and is thus also a strong prerequisite for security. | 554 Such simple code makes it obvious to understand what it does. The \name{suckless} project \citeweb{suckless.org} for example advertises such a philosophy of small and simple software by following the thoughts of the \unix\ inventors \cite{kernighan84} \cite{kernighan99}. Simple, small, and clear code avoids complexity and is thus also a strong prerequisite for security. |
| 556 | 555 |
| 557 | 556 |
| 575 | 574 |
| 576 Remarkable is the distribution of functional and non-functional requirements to the strategies. The strategies for current code (\St1+2) have a functional to non-functional ratio of 10 to 3. The new design strategy (\St3) has a ratio of 5 to 12. | 575 Remarkable is the distribution of functional and non-functional requirements to the strategies. The strategies for current code (\St1+2) have a functional to non-functional ratio of 10 to 3. The new design strategy (\St3) has a ratio of 5 to 12. |
| 577 | 576 |
| 578 This leaves current code to be better suited for adding functionality, and a new design to be better suited for quality improvements. Both strategies need to improve function as well as quality, but the difference determines the focus of the strategy. | 577 This leaves current code to be better suited for adding functionality, and a new design to be better suited for quality improvements. Both strategies need to improve function as well as quality, but the difference determines the focus of the strategy. |
| 579 | 578 |
| 580 Easier work is likely to be done earlier in Free Software projects than hard work. Thus by choosing \St1+2 volunteer developers tend to implement function first and delay quality improvements, no matter what the suggested order is. \St3 in contrast would support %fixme: beguenstigen | 579 Easier work is likely to be done earlier in Free Software projects than hard work. Thus by choosing \St1+2 volunteer developers tend to implement function first and delay quality improvements, no matter what the suggested order is. \St3 in contrast would benefit early quality improvements and later function improvements. This is real-life experience in Free Software development. |
| 581 early quality improvements and later function improvements. This is real-life experience in Free Software development. | |
| 582 | 580 |
| 583 | 581 |
| 584 | 582 |
| 585 | 583 |
| 586 | 584 |
| 591 | 589 |
| 592 In the short-time view, the effort for improving the existing code is much smaller than the effort for a new design plus improvements. But to have similar quality properties at the end of the short-time frame, a \masqmail\ that is based on current code will probably require nearly as much effort as a new designed \masqmail\ will take. For all further development afterwards, the new design will scale well while the old code will require exponential more work. | 590 In the short-time view, the effort for improving the existing code is much smaller than the effort for a new design plus improvements. But to have similar quality properties at the end of the short-time frame, a \masqmail\ that is based on current code will probably require nearly as much effort as a new designed \masqmail\ will take. For all further development afterwards, the new design will scale well while the old code will require exponential more work. |
| 593 | 591 |
| 594 In the long-time view, a restructuring for modularity is necessary anyway. The question is, when to do it: Right at the start in a new design, or later in some restructuring. | 592 In the long-time view, a restructuring for modularity is necessary anyway. The question is, when to do it: Right at the start in a new design, or later in some restructuring. |
| 595 | 593 |
| 596 %fixme: define exactly, be clear: what does break even here mean | 594 %fixme: define exactly, be clear: what does ``break even'' here mean |
| 597 | 595 |
| 598 | 596 |
| 599 | 597 |
| 600 \subsubsection*{The problem with ``good enough''} | 598 \subsubsection*{The problem with ``good enough''} |
| 601 | 599 |
| 652 \begin{enumerate} | 650 \begin{enumerate} |
| 653 \item The short-time plan: Add the most needed features, being encryption, authentication, and security wrappers, to the current code base. | 651 \item The short-time plan: Add the most needed features, being encryption, authentication, and security wrappers, to the current code base. |
| 654 \item The long-time plan: Design a new architecture that satisfies the modern requirements especially the quality requirements. | 652 \item The long-time plan: Design a new architecture that satisfies the modern requirements especially the quality requirements. |
| 655 \end{enumerate} | 653 \end{enumerate} |
| 656 | 654 |
| 657 The background thought is to first do the most needed stuff on the existing code to keep %fixme: erhalten | 655 The background thought is to first do the most needed stuff on the existing code to keep it usable. This satisfies the urgent needs and removes the time pressure from the development of the new design. After this is done, a new designed \masqmail\ should be developed from scratch. This is the work for the future. It shall, after it is usable and throughout tested, supersede the old \masqmail. |
| 658 it usable. This satisfies the urgent needs and removes the time pressure from the development of the new design. After this is done, a new designed \masqmail\ should be developed from scratch. This is the work for the future. It shall, after it is usable and throughout tested, supersede the old \masqmail. | 656 |
| 659 | 657 The basic idea is, regularly developing a new design from scratch while the current version is still in use and gets repaired. Hence a modern design will inherit an old one in regular intervals. This is a very future-proof concept that combines the best of both worlds. The price to pay is only the increased work which gets covered by volunteers that \emph{want} to do it. |
| 660 The basic idea is, regularly developing a new design from scratch while the current version is still in use and gets repaired. Hence a modern design will inherit an old one in regular intervals. This is a very future-proof concept that combines the best of both worlds. The price to pay is only the increased work which gets covered %fixme: uebernommen | |
| 661 by volunteers that \emph{want} to do it. | |
| 662 | 658 |
| 663 | 659 |
| 664 | 660 |
| 665 %fixme: move that sentence to the beginning of the next chapter? | 661 %fixme: move that sentence to the beginning of the next chapter? |
| 666 The following chapter describes approaches and techniques for the work on the current code base, and it introduces ideas and plans for a new, modern \MTA\ design the next generation of \masqmail. | 662 The following chapter describes approaches and techniques for the work on the current code base, and it introduces ideas and plans for a new, modern \MTA\ design the next generation of \masqmail. |