Mercurial > docs > diploma

comparison thesis/tex/4-MasqmailsFuture.tex @ 267:8a6b6d941bbb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
added section about goal and did some rework
author meillo@marmaro.de
date Wed, 14 Jan 2009 21:40:38 +0100
parents b390fb627f10
children c80b6b6fb798
comparison
equal deleted inserted replaced
266:ea538a366b7d 267:8a6b6d941bbb
1 \chapter{\masqmail's present and future} 1 \chapter{\masqmail's present and future}
2 2
3 This chapter \dots %fixme write text here 3 This chapter identifies requirements for \masqmail\ which are compared against the current code to see what is already fulfilled and what is missing. Then the outstanding work is ordered by relevance and a list of tasks to do is created. The end of this chapter is the evaluation of the best development strategy to get the work done in order to achieve the requirements.
4 4
5 5
6 6 \section{The goal}
7 7
8 --- 8 Before requirements can be identified and further development can be discussed, it is important to clearly specify the goal to achieve. This means: What shall \masqmail\ be like, in, for instance, five years?
9 9
10 \textbf{Full featured or stripped down} 10 Should \masqmail\ become more specific to a more narrow niche, or rather become more general and move a bit out of its niche? Or should it even become a totally general \MTA, like \sendmail, \exim, \qmail, and \postfix\ are?
11 11
12 Here shows a misfit off: On the one hand does \masqmail\ want to be a \sendmail\ replacement. But on the other hand, is it not designed to be used like \sendmail. If \masqmail\ is inteded to replace other \MTA{}s, then one may replace another one with it. Hence it must be secure enough. It either needs the security features or must drop the unsecure funtionality. The second option, however, leads to being \emph{no} replacement for other \MTA{}s. It is a valid decision to not be a replacement for \sendmail\ or thelike, but this is a design decision---the change of a primary goal. 12 Becoming completely general seems to be no choice because the competitors are too many and they are already too strong. It would require a strong base of developers and superior features to the competitors. There seems to be no need for another general purpose \MTA\ amoung those four programs. Thus it would most likely remain a try. \person{Venema} stated ``It is becoming less and less likely that someone will write another full-featured Postfix or Sendmail \MTA\ \emph{from scratch} (100 kloc).'' \cite{venema:postfix-growth}. At least \masqmail\ is not going to try that.
13 13
14 If \masqmail\ should be an \MTA\ to replace others, a switch to a better suited architecture that provides good security and extendability by design, seems required. But if \masqmail\ is wanted to cover some special jobs, not to replace common \MTA{}s, then its architecture depends on the special requirements of the specific job; \MTA\ architectures, like discussed by \person{Hafiz}, may be inadequate. 14 \masqmail\ was intended to be small and to cover the niche of managing relay over several smart hosts. Small and resource friendly software is still important for workstations, home servers, and especially for embedded computers. Other software that focuses on the niche of managing relay over several smart hosts is not known. Dial-up connections have become rare but mobile computers moving between different networks are popular. So, the niche is still present.
15 15
16 What future is to choose for \masqmail---one to be a full featured \MTA, or one to be a stipped down \MTA\ for special jobs? 16 What has changed in general is the security that is needed for software. \person{Graff} and \person{van Wyk} describe the situation well: ``[I]n today's world, your software is likely to have to operate in a very hostile security environment.'' Additionally they say: ``By definition, mail software processes information from potentially untrusted sources. Therefore, mail software must be written with great care, even when it runs with user privileges and even when it does not talk directly to a network.'' \cite[page~33, page~90]{graff03}. As \masqmail\ is mail software and trusted environments become rare, it is best for \masqmail\ to become a secure \MTA.
17 17
18 The critical point to discuss upon is surely the listening on a port to accepte messages from outside via \NAME{SMTP} (herafter also refered to as the \NAME{SMTP}-in channel). This feature is required for an \MTA\ to be a \name{smart host}, to relay mail. But running as deamon and listening on a port requires much more security effort, because the program is put in direct contact with attackers and other bad guys. 18 In summary, the goal for \masqmail\ is to stay in the current niche with respect to modern usage scenarios, and to become a secure \MTA.
19 19
20 \MTA{}s without \SMTP-in channels can not receive mail from arbitrary outside hosts. They are only invoked by local users. This lowers the security need a lot---however, security is a general goal and still required, but on a lower level. Unfortunately, as they do not receive mail anymore (except by local submission), they are just better \name{forwarders} that are able to send mail directly to the destination. 20
21
22 This is not what \masqmail\ was intended to be. Programs that cover this purpose are available; one is \name{msmtp}.
23
24 \masqmail\ shall be a complete \mta. It shall be able to replace ones like \sendmail.
25
26 ---
27 21
28 22
29 23
30 24
31 \section{Requirements} 25 \section{Requirements}
32 \label{sec:mta-requirements} 26 \label{sec:mta-requirements}
33 27
34 This section identifies the requirements for a modern \masqmail. Most of them will apply to modern \MTA{}s in general. 28 This section identifies the requirements for \masqmail\ to reach the above defined goal. Most of the requirements will apply to modern \MTA{}s in general.
35 29
36 30
37 31
38 \subsection{Functional requirements} 32 \subsection{Functional requirements}
39 33
427 \item[S1:] Improve the current code base. 421 \item[S1:] Improve the current code base.
428 \item[S2:] Add wrappers or interposition filters. 422 \item[S2:] Add wrappers or interposition filters.
429 \item[S3:] Redesign the software from scratch and rebuild it. 423 \item[S3:] Redesign the software from scratch and rebuild it.
430 \end{enumerate} 424 \end{enumerate}
431 425
432 The first two strategies base on the available source code, and can be applied in combination. The third strategy abandonnes the old code and starts over again. Wrappers and interposition filters would then be outright included into the new architecture. 426 The first two strategies base on the available source code, and can be applied in combination. The third strategy splits from the old code base and starts over again. Wrappers and interposition filters would then be outright included into the new architecture. Parts of existing old code could be used if appropriate.
433 427
434 428
435 The requirements are now regarded, each on its own. Each one is linked to the development strategy that is prefered to reach the specific requirement. Some requirements may be well achievable by using different strategies, so they are linked to all of them. The order of the requirements in the list depend on their level of focus. This linking of strategies to the requirements is shown in table \ref{tab:strategies}. 429 The requirements are now regarded, each on its own. Each one is linked to the development strategy that is prefered to reach the specific requirement. Some requirements may be well achievable by using different strategies, so they are linked to all of them. The order of the requirements in the list depend on their level of focus. This linking of strategies to the requirements is shown in table \ref{tab:strategies}.
436 430
437 \begin{table} 431 \begin{table}
440 \end{center} 434 \end{center}
441 \caption{Development strategies and their suitability for requirements} 435 \caption{Development strategies and their suitability for requirements}
442 \label{tab:strategies} 436 \label{tab:strategies}
443 \end{table} 437 \end{table}
444 438
445 Implementing \TODO1 encryption and \TODO2 authentication, for example, are limited to a narrow region in the code. Such features are addable to the current code base without much problem. In contrast does adding support for new protocols or mail processing interfaces to external programs (\TODO5) require a lot of effort. Changes in many parts of the source code are required. It is a bad idea to implement large retro-fitted features into software that is critical about security and reliability, like \MTA{}s. Worse if these features need changes in the program's structure, like adding mail scanning interfaces (\TODO5) would do. 439
446 440 Next, the best strategy for further development needs to be discovered.
447 If such large features are needed, it is best to redesign the program's structure and rebuild it. A program's structure is primary its architecture. Which is the most influencing design decision, and has the greatest impact on the program's future capabilities. The architecture defines what the program can do, and how it can be used. If the architecture does not fit to the requirements, development will reach a dead end \dots\ further work then will make everything worse. The only good solution is to change the architecture, which, sadly but most likely, means a redesign from scratch. 441
442 Implementing \TODO1 encryption and \TODO2 authentication, for example, are limited to a narrow region in the code. Such features are addable to the current code base without much problem. In contrast does adding support for mail processing interfaces to external programs (\TODO5) or support for new protocols require a lot of effort. Changes in many parts of the source code are required. If such large features are needed, it is best to redesign the program's structure and rebuild it.
443
444 It is a bad idea to implement large retro-fitted features into software that is critical about security and reliability, like \MTA{}s. Worse if these features need changes in the program's structure, like adding mail scanning interfaces (\TODO5) would do. Quality properties, like security (\TODO3) and reliability (\TODO3), as well as extendability (\TODO6) and maintainability, can hardly be added afterwards---if at all.
445
446
447 A score for each strategy is obtained by summing up the focus points of each requirement for which a strategy is prefered. Herefore only positive focus points are regarded, with each plus symbol counting one. (Respecting negative focus points also leads to a similar result.)
448
449 Strategy 1 (Improve current code), gets a score of 9 points. Strategy 2 (Wrappers and interposition filters) has a score of 7 points. And strategy 3 (A new design) scores on top with 17 points. As \St1 and \St2 may be used in combination, a combined score is important to calculate. The combination has in total 13 points, but it is still beaten by \St3.
450
451 This leads to the conclusion, that S3 (A new design) is probably the best strategy for further development. But this conclusion respects only the view on requirements and their relevance. Other factors like development effort and risks are important to respect too. These issues are discussed in the following sections.
452
453
454
455
456
457 \subsubsection*{S3: A new design from scratch}
458
459 A program's structure is primary its architecture. Which is the most influencing design decision, and has the greatest impact on the program's future capabilities. The architecture defines what the program can do, and how it can be used. If the architecture does not fit to the requirements, development will reach a dead end \dots\ further work then will make everything worse. The only good solution is to change the architecture, which, sadly but most likely, means a redesign from scratch.
448 460
449 Quality properties, like security (\TODO3) and reliability (\TODO3), as well as extendability (\TODO6) and maintainability, can hardly be added afterwards---if at all. Only structural changes will improve them. Hence, if security, reliability, extendability (to add support for future mail transfer protocols), or maintainability shall be improved, a redesign of \masqmail\ is the only sane way to go. 461 Quality properties, like security (\TODO3) and reliability (\TODO3), as well as extendability (\TODO6) and maintainability, can hardly be added afterwards---if at all. Only structural changes will improve them. Hence, if security, reliability, extendability (to add support for future mail transfer protocols), or maintainability shall be improved, a redesign of \masqmail\ is the only sane way to go.
450
451
452
453 Next, the best strategy for further development needs to be discovered. The focus points of the requirements, for which a strategy is prefered, are summed up to obtain a score for the strategies. Herefor only positive focus points are regarded, with each plus symbol counting one. (Respecting negative focus points also leads to a similar result.)
454
455 S1: Improve current code, gets a score of 9 points. S2: Wrappers and interposition filters, has a score of 7 points. S3: New design, scores on top with 17 points. As S1 and S2 may be used in combination, a combined score is important to calculate. The combination has in total 13 points, but it is still beaten by S3.
456
457 This leads to the conclusion, that S3 (A new design) is the best strategy for further development, from this point of view.
458
459
460 \subsubsection*{S3: A new design from scratch}
461 462
462 However, a redesign and rewrite of software from scratch is hard. It takes time to design a new architecture, which then must prove it is secure and reliable. As well is much time and work needed to implement the design, test it, fix bugs, and so on. If flaws in the design appear during prototype implementation, it is necessary to start again. Thus the gain of a new design must overweight the effort needed. 463 However, a redesign and rewrite of software from scratch is hard. It takes time to design a new architecture, which then must prove it is secure and reliable. As well is much time and work needed to implement the design, test it, fix bugs, and so on. If flaws in the design appear during prototype implementation, it is necessary to start again. Thus the gain of a new design must overweight the effort needed.
463 464
464 \person{Wheeler}'s program \name{sloccount} calculates following estimations for \masqmail's code base as of version 0.2.21 (excluding library code): 465 \person{Wheeler}'s program \name{sloccount} calculates following estimations for \masqmail's code base as of version 0.2.21 (excluding library code):
465 466
513 514
514 515
515 516
516 517
517 518
518 \subsubsection*{A redesign from scratch} 519 \textbf{A redesign from scratch}
519 520
520 Security comes from good design, as \person{Graff} and \person{van Wyk} explain: 521 Security comes from good design, as \person{Graff} and \person{van Wyk} explain:
521 \begin{quote} 522 \begin{quote}
522 Good design is the sword and shield of the security-conscious developer. Sound design defends your application from subversion or misuse, protecting your network and the information on it from internal and external attacks alike. It also provides a safe foundation for future extensions and maintenance of the software. 523 Good design is the sword and shield of the security-conscious developer. Sound design defends your application from subversion or misuse, protecting your network and the information on it from internal and external attacks alike. It also provides a safe foundation for future extensions and maintenance of the software.
523 % 524 %
526 \end{quote} 527 \end{quote}
527 528
528 All this leads to the wish of a rewrite of \masqmail, using a modern, modular architecture, \emph{if} further features need to be added---features that require changes in \masqmail's structure. But a rewrite is also mandatory, if \masqmail\ should become a modern \MTA, with good quality properties. 529 All this leads to the wish of a rewrite of \masqmail, using a modern, modular architecture, \emph{if} further features need to be added---features that require changes in \masqmail's structure. But a rewrite is also mandatory, if \masqmail\ should become a modern \MTA, with good quality properties.
529 530
530 531
531 \subsubsection*{Further reasons for a new design} 532 \textbf{Further reasons for a new design}
532 533
533 impressing simplicity of qmail: only about 1000 SLOC per file (= about one module). It's obvious what it does. cf. suckless.org 534 impressing simplicity of qmail: only about 1000 SLOC per file (= about one module). It's obvious what it does. cf. suckless.org
534 535
535 536
536 do not try to safe obsolete stuff. This will not work (see sendmail). 537 do not try to safe obsolete stuff. This will not work (see sendmail).
557 Good design, concepts and philosophy gives users good feelings and faith for the software. They become interested in using it and to contribute. 558 Good design, concepts and philosophy gives users good feelings and faith for the software. They become interested in using it and to contribute.
558 559
559 560
560 561
561 The goal is good software. The wish to do good work is the motivation volunteers have. Work plans that lead to a good product will motivate volunteers to help with it. Hence more helpers may make the 2,5 man years for the new design, even become less absolute time than, few helping people that try to improve the existing code. 562 The goal is good software. The wish to do good work is the motivation volunteers have. Work plans that lead to a good product will motivate volunteers to help with it. Hence more helpers may make the 2,5 man years for the new design, even become less absolute time than, few helping people that try to improve the existing code.
563
564
565
566 \subsubsection*{S\,1 and S\,2: Improve old code and add wrappers}
567
568
569 FIXME
570
571
572
573
574
575
562 576
563 577
564 578
565 \section{Result} 579 \section{Result}
566 580