Mercurial > docs > diploma
comparison thesis/tex/4-MasqmailsFuture.tex @ 392:b4611d4e1484
applied comments by henry atting
| author | meillo@marmaro.de |
|---|---|
| date | Sat, 07 Feb 2009 11:42:45 +0100 |
| parents | 16d8eacf60e1 |
| children | 6494832a798c |
comparison
equal
deleted
inserted
replaced
| 391:16d8eacf60e1 | 392:b4611d4e1484 |
|---|---|
| 85 \index{mail queue} | 85 \index{mail queue} |
| 86 Mail queuing removes the need to deliver instantly as a message is received. The queue provides fail-safe storage of mails until they are delivered. Mail queues are probably used in all \MTA{}s, even in some simple forwarders. The mail queue is essential for \masqmail, as \masqmail\ is intended for non-permanent online connections. This means, mail must be queued until a online connection is available to send the message. This may be after a reboot. Hence the mail queue must provide persistence. | 86 Mail queuing removes the need to deliver instantly as a message is received. The queue provides fail-safe storage of mails until they are delivered. Mail queues are probably used in all \MTA{}s, even in some simple forwarders. The mail queue is essential for \masqmail, as \masqmail\ is intended for non-permanent online connections. This means, mail must be queued until a online connection is available to send the message. This may be after a reboot. Hence the mail queue must provide persistence. |
| 87 \index{forwarder} | 87 \index{forwarder} |
| 88 \index{non-permanent} | 88 \index{non-permanent} |
| 89 | 89 |
| 90 The mail queue and the module(s) to manage it are the central part of the whole system. This demands especially for robustness and reliability, as a failure here can lead to mail loss. An \MTA\ takes over responsibility for mail by accepting it, hence loosing mail messages is absolutely to avoid. This covers any kind of crash situation too. The worst thing acceptable to happen is an already sent mail to be sent again. | 90 The mail queue and the module(s) to manage it are the central part of the whole system. This demands especially for robustness and reliability, as a failure here can lead to mail loss. An \MTA\ takes over responsibility for mail by accepting it, hence loosing mail messages is absolutely to avoid. This covers any kind of crash situation, too. The worst thing acceptable to happen is an already sent mail to be sent again. |
| 91 \index{reliability} | 91 \index{reliability} |
| 92 | 92 |
| 93 | 93 |
| 94 | 94 |
| 95 | 95 |
| 96 \paragraph{\RF3: Header sanitizing} | 96 \paragraph{\RF3: Header sanitizing} |
| 97 \label{rf3} | 97 \label{rf3} |
| 98 \index{header sanitizing} | 98 \index{header sanitizing} |
| 99 Mail coming into the system often lacks important header lines. At least the required ones must be added by the \MTA. One example is the \texttt{Date:} header, another is the, not required but recommended, \texttt{Message-ID:} header. Apart from adding missing headers, rewriting headers is important too. Changing the locally known domain part of email addresses to globally known ones is an example. \masqmail\ needs to be able to rewrite the domain part dependent on the route used to send the message, to prevent messages to get classified as spam. | 99 Mail coming into the system often lacks important header lines. At least the required ones must be added by the \MTA. One example is the \texttt{Date:} header, another is the, not required but recommended, \texttt{Message-ID:} header. Apart from adding missing headers, rewriting headers is important, too. Changing the locally known domain part of email addresses to globally known ones is an example. \masqmail\ needs to be able to rewrite the domain part dependent on the route used to send the message, to prevent messages to get classified as spam. |
| 100 \index{masqmail!online routes} | 100 \index{masqmail!online routes} |
| 101 | 101 |
| 102 Generating the envelope is a related job. The envelope specifies the actual recipient of the mail, no matter what the \texttt{To:}, \texttt{Cc:}, and \texttt{Bcc:} headers contain. Multiple recipients lead to multiple different envelopes, all containing the same mail message. | 102 Generating the envelope is a related job. The envelope specifies the actual recipient of the mail, no matter what the \texttt{To:}, \texttt{Cc:}, and \texttt{Bcc:} headers contain. Multiple recipients lead to multiple different envelopes, all containing the same mail message. |
| 103 | 103 |
| 104 | 104 |
| 132 \index{access restriction} | 132 \index{access restriction} |
| 133 | 133 |
| 134 This authentication based on \NAME{IP} addresses is impossible in situations where hosts with changing \NAME{IP} addresses, that are not part of a known sub net, need access. Then a authentication mechanism based on some \emph{secret} is required. Three common approaches exist: | 134 This authentication based on \NAME{IP} addresses is impossible in situations where hosts with changing \NAME{IP} addresses, that are not part of a known sub net, need access. Then a authentication mechanism based on some \emph{secret} is required. Three common approaches exist: |
| 135 | 135 |
| 136 \begin{enumerate} | 136 \begin{enumerate} |
| 137 \item \SMTP-after-\NAME{POP}: Uses authentication on the \NAME{POP} protocol to permit incoming \SMTP\ connections for a limited time afterwards. The variant \SMTP-after-\NAME{IMAP} exists too. | 137 \item \SMTP-after-\NAME{POP}: Uses authentication on the \NAME{POP} protocol to permit incoming \SMTP\ connections for a limited time afterwards. The variant \SMTP-after-\NAME{IMAP} exists, too. |
| 138 \index{auth!smtp-after-pop} | 138 \index{auth!smtp-after-pop} |
| 139 \item \SMTP\ authentication: An extension to \SMTP. It allows to request authentication before mail is accepted. Here no helper protocols are needed. | 139 \item \SMTP\ authentication: An extension to \SMTP. It allows to request authentication before mail is accepted. Here no helper protocols are needed. |
| 140 \index{auth!smtp-auth} | 140 \index{auth!smtp-auth} |
| 141 \item Certificates: The identity of a user or a host is confirmed by certificates that are signed by trusted authorities. Certificates are closely related to encryption, they do normally satisfy both needs: encrypt the data transmission and identify the remote user/host. | 141 \item Certificates: The identity of a user or a host is confirmed by certificates that are signed by trusted authorities. Certificates are closely related to encryption, they do normally satisfy both needs: encrypt the data transmission and identify the remote user/host. |
| 142 \index{certificates} | 142 \index{certificates} |
| 143 \end{enumerate} | 143 \end{enumerate} |
| 145 Static authentication is the preferred type for authenticating clients. It should be chosen if possible. This means if the \MTA\ resides within a trusted network or it is possible to define trusted network segments on basis of \NAME{IP} addresses, then static authentication is the best choice. | 145 Static authentication is the preferred type for authenticating clients. It should be chosen if possible. This means if the \MTA\ resides within a trusted network or it is possible to define trusted network segments on basis of \NAME{IP} addresses, then static authentication is the best choice. |
| 146 | 146 |
| 147 If the \MTA\ does its job in an untrusted network, if it can be expected that forged \NAME{IP} addresses will appear, or if mobile clients need access, then dynamic authentication should be used. | 147 If the \MTA\ does its job in an untrusted network, if it can be expected that forged \NAME{IP} addresses will appear, or if mobile clients need access, then dynamic authentication should be used. |
| 148 \index{untrusted environment} | 148 \index{untrusted environment} |
| 149 | 149 |
| 150 Any combination is possible too. For example, it is preferred to allow relay access only to authenticated users. Either clients in local networks which are authenticated by their \NAME{IP} addresses or remote clients that authenticate by a secret-based method. | 150 Any combination is possible, too. For example, it is preferred to allow relay access only to authenticated users. Either clients in local networks which are authenticated by their \NAME{IP} addresses or remote clients that authenticate by a secret-based method. |
| 151 | 151 |
| 152 Static authentication is simpler and requires less administration work but it has limitations. Dynamic authentication should be used if static authentication reaches its limits. At least one of the secret-based mechanisms should be supported. | 152 Static authentication is simpler and requires less administration work but it has limitations. Dynamic authentication should be used if static authentication reaches its limits. At least one of the secret-based mechanisms should be supported. |
| 153 | 153 |
| 154 | 154 |
| 155 | 155 |
| 255 \index{masqmail!security} | 255 \index{masqmail!security} |
| 256 | 256 |
| 257 | 257 |
| 258 \paragraph{\RG2: Reliability} | 258 \paragraph{\RG2: Reliability} |
| 259 \index{reliability} | 259 \index{reliability} |
| 260 Reliability is the second essential quality property for an \MTA. Mail for which the \MTA\ took responsibility must never get lost while it is within the \MTA's responsibility. The \MTA\ must not be \emph{the cause} of any mail loss, no matter what happens. Unreliable \MTA{}s are of no value. However, as the mail transport infrastructure is a distributed system, one of the communication partners or the transport medium may crash at any time during mail transfer. Thus reliability is needed for mail transfer communication too. | 260 Reliability is the second essential quality property for an \MTA. Mail for which the \MTA\ took responsibility must never get lost while it is within the \MTA's responsibility. The \MTA\ must not be \emph{the cause} of any mail loss, no matter what happens. Unreliable \MTA{}s are of no value. However, as the mail transport infrastructure is a distributed system, one of the communication partners or the transport medium may crash at any time during mail transfer. Thus reliability is needed for mail transfer communication, too. |
| 261 \index{mail loss} | 261 \index{mail loss} |
| 262 | 262 |
| 263 The goal is to transfer exactly one copy of the message. \person{Tanenbaum} evaluates the situation and comes to the conclusion that ``in general, there is no way to arrange this.'' \cite[pages~377--379]{tanenbaum02}. Only strategies where no mail gets lost are acceptable; he identifies three of them, but one generates more duplicates than the others, so two strategies remain. (1) The client always reissues the transfer. The server first sends an acknowledgment and then handles the transfer. (2) The client reissues the transfer only if no acknowledgment was received. The server first handles the transfer and sends the acknowledgment afterwards. The first strategy does not need acknowledgments at all, however, it will lose mail if the second transfer fails too. | 263 The goal is to transfer exactly one copy of the message. \person{Tanenbaum} evaluates the situation and comes to the conclusion that ``in general, there is no way to arrange this.'' \cite[pages~377--379]{tanenbaum02}. Only strategies where no mail gets lost are acceptable; he identifies three of them, but one generates more duplicates than the others, so two strategies remain. (1) The client always reissues the transfer. The server first sends an acknowledgment and then handles the transfer. (2) The client reissues the transfer only if no acknowledgment was received. The server first handles the transfer and sends the acknowledgment afterwards. The first strategy does not need acknowledgments at all, however, it will lose mail if the second transfer fails, too. |
| 264 | 264 |
| 265 Hence, mail transfer between two processes should use the strategy: The client reissues if it receives no acknowledgment. The server first handles the message and then sends the acknowledgment. This strategy only leads to duplicates if a crash happens in the time between the message is fully transferred to the server and the acknowledgment is received by the client. No mail will get lost. | 265 Hence, mail transfer between two processes should use the strategy: The client reissues if it receives no acknowledgment. The server first handles the message and then sends the acknowledgment. This strategy only leads to duplicates if a crash happens in the time between the message is fully transferred to the server and the acknowledgment is received by the client. No mail will get lost. |
| 266 \index{duplicates} | 266 \index{duplicates} |
| 267 | 267 |
| 268 | 268 |
| 271 Being robust means handling errors properly. Small errors may get corrected, large errors may kill a process. Killed processes should get restarted automatically and lead to a clean state again. Log messages should be written in every case. Robust software does not need a special environment, it creates a friendly environment itself. \person{Raymond}'s \name{Rule of Robustness} and his \name{Rule of Repair} are good descriptions \cite[pages~18--21]{raymond03}. | 271 Being robust means handling errors properly. Small errors may get corrected, large errors may kill a process. Killed processes should get restarted automatically and lead to a clean state again. Log messages should be written in every case. Robust software does not need a special environment, it creates a friendly environment itself. \person{Raymond}'s \name{Rule of Robustness} and his \name{Rule of Repair} are good descriptions \cite[pages~18--21]{raymond03}. |
| 272 | 272 |
| 273 | 273 |
| 274 \paragraph{\RG4: Extendability} | 274 \paragraph{\RG4: Extendability} |
| 275 \index{extendability} | 275 \index{extendability} |
| 276 \masqmail's architecture needs to be extendable to allow new features to be added afterwards. The reasons for this need are the changing requirements. New requirements will appear, like more efficient mail transfer of large messages or a final solution for spam problem. Extendability is the ability of software to include new function with little work. | 276 \masqmail's architecture needs to be extendable to allow new features to be added afterwards. The reasons for this need are the changing requirements. New requirements will appear, like more efficient mail transfer of large messages or a final solution to the spam problem. Extendability is the ability of software to include new function with little work. |
| 277 | 277 |
| 278 | 278 |
| 279 \paragraph{\RG5: Maintainability} | 279 \paragraph{\RG5: Maintainability} |
| 280 \index{maintainability} | 280 \index{maintainability} |
| 281 Maintaining software takes much time and effort. \person{Spinellis} guesses ``40\,\% to 70\,\% of the effort that goes into a software system is expended after the system is written first time.'' \cite[page~1]{spinellis03}. This work is called \emph{maintaining}. Hence making software good to maintain will ease all further work. | 281 Maintaining software takes much time and effort. \person{Spinellis} guesses ``40\,\% to 70\,\% of the effort that goes into a software system is expended after the system is written first time.'' \cite[page~1]{spinellis03}. This work is called \emph{maintaining}. Hence making software good to maintain will ease all further work. |
| 403 \index{online routes} | 403 \index{online routes} |
| 404 Querying the name of the active route is done on delivery. Headers can get rewritten a second time then. This part does provide all the functionality required. | 404 Querying the name of the active route is done on delivery. Headers can get rewritten a second time then. This part does provide all the functionality required. |
| 405 | 405 |
| 406 \paragraph{\RF6: Authentication} | 406 \paragraph{\RF6: Authentication} |
| 407 \index{auth} | 407 \index{auth} |
| 408 Static authentication, based on \NAME{IP} addresses, can be achieved with \person{Venema}'s \NAME{TCP} \name{Wrapper} \cite{venema92}, by editing the \path{hosts.allow} and \path{hosts.deny} files. This is only relevant to authenticate host that try to submit mail into the system. Dynamic (secret-based) \SMTP\ authentication is already supported in form of \NAME{SMTP-AUTH} and \SMTP-after-\NAME{POP}, but only for outgoing connections. For incoming connections only address-based authentication is supported. | 408 Static authentication, based on \NAME{IP} addresses, can be achieved with \person{Venema}'s \NAME{TCP} \name{Wrapper} \cite{venema92}, by editing the \path{hosts.allow} and \path{hosts.deny} files. This is only relevant to authenticate hosts that try to submit mail into the system. Dynamic (secret-based) \SMTP\ authentication is already supported in form of \NAME{SMTP-AUTH} and \SMTP-after-\NAME{POP}, but only for outgoing connections. For incoming connections only address-based authentication is supported. |
| 409 \index{auth!smtp-after-pop} | 409 \index{auth!smtp-after-pop} |
| 410 \index{auth!smtp-auth} | 410 \index{auth!smtp-auth} |
| 411 | 411 |
| 412 \paragraph{\RF7: Encryption} | 412 \paragraph{\RF7: Encryption} |
| 413 \index{enc} | 413 \index{enc} |
| 431 \paragraph{\RG1: Security} | 431 \paragraph{\RG1: Security} |
| 432 \index{security} | 432 \index{security} |
| 433 \masqmail's current security is bad. However, it seems acceptable for using \masqmail\ on workstations and private networks, if the environment is trustable and \masqmail\ is protected against remote attacks. In environments where untrusted components or persons have access to \masqmail, its security is too low. Its author states that \masqmail\ ``is not designed to'' such usage \citeweb{masqmail:homepage2}. This is a clear indicator for being careful. Issues like high memory consumption, low performance, and denial-of-service attacks---things not regarded by design---may cause serious problems. In any way, a security report that confirms \masqmail's security level is missing. | 433 \masqmail's current security is bad. However, it seems acceptable for using \masqmail\ on workstations and private networks, if the environment is trustable and \masqmail\ is protected against remote attacks. In environments where untrusted components or persons have access to \masqmail, its security is too low. Its author states that \masqmail\ ``is not designed to'' such usage \citeweb{masqmail:homepage2}. This is a clear indicator for being careful. Issues like high memory consumption, low performance, and denial-of-service attacks---things not regarded by design---may cause serious problems. In any way, a security report that confirms \masqmail's security level is missing. |
| 434 \index{masqmail!security} | 434 \index{masqmail!security} |
| 435 | 435 |
| 436 \masqmail\ uses conditional compilation to exclude unneeded functionality from the executable at compile time. Excluding code means excluding all bugs and weaknesses within this code too. Excluding unused code is a good concept to improve security. | 436 \masqmail\ uses conditional compilation to exclude unneeded functionality from the executable at compile time. Excluding code means excluding all bugs and weaknesses within this code, too. Excluding unused code is a good concept to improve security. |
| 437 \index{conditional compilation} | 437 \index{conditional compilation} |
| 438 | 438 |
| 439 \paragraph{\RG2: Reliability} | 439 \paragraph{\RG2: Reliability} |
| 440 \index{reliability} | 440 \index{reliability} |
| 441 Its reliability is also not good enough. Situations where only one part of a sent message was removed from the queue and the other part remained as garbage, showed off \citeweb{debian:bug245882}. Problems with large mail messages in conjunction with small bandwidth were also reported \citeweb{debian:bug216226}. Fortunately, lost email was no big problem yet, but \person{Kurth} warns: | 441 Its reliability is also not good enough. Situations where only one part of a sent message was removed from the queue and the other part remained as garbage, showed off \citeweb{debian:bug245882}. Problems with large mail messages in conjunction with small bandwidth were also reported \citeweb{debian:bug216226}. Fortunately, lost email was no big problem yet, but \person{Kurth} warns: |
| 527 Authentication of incoming \SMTP\ connections is also highly needed and should be added second. It is important to restrict access and to prevent relaying. For workstations and local networks, this has only medium importance and address-based authentication is sufficient in most times. But secret-based authentication is mandatory to receive mail from the Internet. Additionally it is a guard against spam. | 527 Authentication of incoming \SMTP\ connections is also highly needed and should be added second. It is important to restrict access and to prevent relaying. For workstations and local networks, this has only medium importance and address-based authentication is sufficient in most times. But secret-based authentication is mandatory to receive mail from the Internet. Additionally it is a guard against spam. |
| 528 | 528 |
| 529 | 529 |
| 530 \subsubsection*{\TODO3: Security (\RG1)} | 530 \subsubsection*{\TODO3: Security (\RG1)} |
| 531 \index{security} | 531 \index{security} |
| 532 \masqmail's security is bad, thus the program is forced into a limited field of operation. This field of operation even shrinks as security becomes more important and networking and interaction increases. Secure and trusted environment become rare, thus improving security is an important thing to do. The focus should be on adding compartments to split \masqmail\ into separate modules. (See section~\ref{sec:discussion-mta-arch}.) Further more should \masqmail's security be tested throughout to get a definitive view how good it really is and where the weak spots are. | 532 \masqmail's security is bad, thus the program is forced into a limited field of operation. This field of operation even shrinks as security becomes more important and networking and interaction increases. Secure and trusted environment become rare, thus improving security is an important thing to do. The focus should be on adding compartments to split \masqmail\ into separate modules. (See section~\ref{sec:discussion-mta-arch}.) Furthermore, \masqmail's security should be tested throughout to get a definitive view how good it really is and where the weak spots are. |
| 533 \index{modularity} | 533 \index{modularity} |
| 534 | 534 |
| 535 | 535 |
| 536 \subsubsection*{\TODO4: Reliability (\RG2)} | 536 \subsubsection*{\TODO4: Reliability (\RG2)} |
| 537 \index{reliability} | 537 \index{reliability} |
| 596 | 596 |
| 597 Strategy 1 (Improve current code) has a score of 9 points. Strategy 2 (Wrappers and interposition filters) has a score of 7 points. Strategy 3 (A new design) scores on top with 17 points. S\,1 and S\,2 can be used in combination; the combined score is 13 points. Thus strategy 3 ranges first, followed by the combination of strategy 1 and 2. | 597 Strategy 1 (Improve current code) has a score of 9 points. Strategy 2 (Wrappers and interposition filters) has a score of 7 points. Strategy 3 (A new design) scores on top with 17 points. S\,1 and S\,2 can be used in combination; the combined score is 13 points. Thus strategy 3 ranges first, followed by the combination of strategy 1 and 2. |
| 598 | 598 |
| 599 This leads to the conclusion that S\,3 (A new design) is probably the best strategy for further development. | 599 This leads to the conclusion that S\,3 (A new design) is probably the best strategy for further development. |
| 600 | 600 |
| 601 But this result respects only the view on requirements and their relevance. Other factors like development effort and risks are important to think about too. These issues are discussed in the following sections, comparing S\,3 against the combination S\,1+2. | 601 But this result respects only the view on requirements and their relevance. Other factors like development effort and risks are important to think about, too. These issues are discussed in the following sections, comparing S\,3 against the combination S\,1+2. |
| 602 | 602 |
| 603 | 603 |
| 604 | 604 |
| 605 | 605 |
| 606 | 606 |
| 612 | 612 |
| 613 | 613 |
| 614 \subsubsection*{Quality improvements} | 614 \subsubsection*{Quality improvements} |
| 615 \index{quality improvement} | 615 \index{quality improvement} |
| 616 | 616 |
| 617 Most quality properties can hardly be added afterwards. Hence, if reliability, extendability, or maintainability shall be improved, a redesign of \masqmail\ is the best way to take. The wish to improve quality inevitably point towards a modular architecture. Modularity with internal and external interfaces is highly preferred from the architectural point of view (see section~\ref{sec:discussion-mta-arch}). The need for further features, especially ones that require changes in \masqmail's structure, support the decision for a new design, too. Hence a rewrite is favored if \masqmail\ should become a modern \MTA\ with good quality properties. | 617 Most quality properties can hardly be added afterwards. Hence, if reliability, extendability, or maintainability shall be improved, a redesign of \masqmail\ is the best way to take. The wish to improve quality, inevitably point towards a modular architecture. Modularity with internal and external interfaces is highly preferred from the architectural point of view (see section~\ref{sec:discussion-mta-arch}). The need for further features, especially ones that require changes in \masqmail's structure, support the decision for a new design, too. Hence a rewrite is favored if \masqmail\ should become a modern \MTA\ with good quality properties. |
| 618 \index{modularity} | 618 \index{modularity} |
| 619 | 619 |
| 620 | 620 |
| 621 | 621 |
| 622 \subsubsection*{Security} | 622 \subsubsection*{Security} |
| 652 | 652 |
| 653 \codeinput{input/masqmail-sloccount.txt} | 653 \codeinput{input/masqmail-sloccount.txt} |
| 654 | 654 |
| 655 The development costs in money are not relevant for a Free Software project with volunteer developers, but the development time is. About 24 man-months are estimated. The current code base was written almost completely by \person{Oliver Kurth} within four years in his spare time. This means he needed around twice as much time. Of course, he programmed as a volunteer developer not as an employee with eight work-hours per day. | 655 The development costs in money are not relevant for a Free Software project with volunteer developers, but the development time is. About 24 man-months are estimated. The current code base was written almost completely by \person{Oliver Kurth} within four years in his spare time. This means he needed around twice as much time. Of course, he programmed as a volunteer developer not as an employee with eight work-hours per day. |
| 656 | 656 |
| 657 Given the assumptions that (1) an equal amount of code needs to be produced for a new designed \masqmail, (2) a third of the existing code can be reused plus concepts and knowledge, and (3) development speed is like \person{Kurth}'s, then it would take between two and three years for one programmer to produce a redesigned new \masqmail\ with the same features that \masqmail\ now has. Less time would be needed if a simpler architecture allows faster development, better testing, and less bugs. Of course more developers would speed it up too. | 657 Given the assumptions that (1) an equal amount of code needs to be produced for a new designed \masqmail, (2) a third of the existing code can be reused plus concepts and knowledge, and (3) development speed is like \person{Kurth}'s, then it would take between two and three years for one programmer to produce a redesigned new \masqmail\ with the same features that \masqmail\ now has. Less time would be needed if a simpler architecture allows faster development, better testing, and less bugs. Of course, more developers would speed it up, too. |
| 658 | 658 |
| 659 | 659 |
| 660 | 660 |
| 661 | 661 |
| 662 \subsubsection*{Risks} | 662 \subsubsection*{Risks} |
| 689 | 689 |
| 690 | 690 |
| 691 \subsubsection*{Repairing} | 691 \subsubsection*{Repairing} |
| 692 \index{reparing} | 692 \index{reparing} |
| 693 | 693 |
| 694 Besides these advantages of existing code, one must not forget that further work on it is often repair work. Small bug fixes are not the problem, but adding something for which the software originally was not designed will cause problems. Such work often destroys the clear concepts of the software, especially in interweaved monolithic code. | 694 Besides these advantages of existing code, one must not forget that further work on it is often repair work. Small bug fixes are not the problem, but adding something for which the software originally was not designed, will cause problems. Such work often destroys the clear concepts of the software, especially in interweaved monolithic code. |
| 695 | 695 |
| 696 \person{Doug McIlroy}, a person with important influence on Unix especially by inventing the Unix pipe, demands: ``To do a new job, build afresh rather than complicate old programs by adding new features.'' \cite{mcilroy78}. | 696 \person{Doug McIlroy}, a person with important influence on Unix especially by inventing the Unix pipe, demands: ``To do a new job, build afresh rather than complicate old programs by adding new features.'' \cite{mcilroy78}. |
| 697 | 697 |
| 698 Repair strategies are useful, but only in the short-time view and in times of trouble. If the future is bright, however, one does best by investing into a software. As shown in section~\ref{sec:market-analysis-conclusion}, the future for \MTA{}s is bright. This means it is time to invest into a redesign with the intension to build up a more modern product. | 698 Repair strategies are useful, but only in the short-time view and in times of trouble. If the future is bright, however, one does best by investing into a software. As shown in section~\ref{sec:market-analysis-conclusion}, the future for \MTA{}s is bright. This means it is time to invest into a redesign with the intension to build up a more modern product. |
| 699 | 699 |
| 700 In the author's view is \masqmail\ already needing this redesign since about 2003 when the old design was still quite suitable \dots\ it already delayed too long. | 700 In the author's view is \masqmail\ already needing this redesign since about 2003 when the old design was still quite suitable \dots\ it already delayed too long. |
| 701 \index{masqmail!redesign} | 701 \index{masqmail!redesign} |
| 702 | 702 |
| 703 %Clinging to much to existing code will be no help, it is an indicator for fear. Having the courage to through bad code away to make it better, shows the view forward. | 703 %Clinging to much to existing code will be no help, it is an indicator for fear. Having the courage to through bad code away to make it better, shows the view forward. |
| 704 | 704 |
| 705 Anyway, further development on base of current code needs to improve the quality properties too. Some quality requirements can be satisfied by adding wrappers or interposition filters to the outside. For those is the development effort approximately equal to a solution with a new design. But for adding quality requirements like extendability or maintainability which affect the source code throughout, the effort does increase with exponential rate as development proceeds. In case these properties get not improved, development will likely come to a dead end sooner or later. | 705 Anyway, further development on base of current code needs to improve the quality properties, too. Some quality requirements can be satisfied by adding wrappers or interposition filters to the outside. For those is the development effort approximately equal to a solution with a new design. But for adding quality requirements like extendability or maintainability which affect the source code throughout, the effort does increase with exponential rate as development proceeds. In case these properties get not improved, development will likely come to a dead end sooner or later. |
| 706 \index{quality improvement} | 706 \index{quality improvement} |
| 707 | 707 |
| 708 | 708 |
| 709 | 709 |
| 710 | 710 |
| 728 | 728 |
| 729 | 729 |
| 730 \subsubsection*{Modularity} | 730 \subsubsection*{Modularity} |
| 731 \index{modularity} | 731 \index{modularity} |
| 732 | 732 |
| 733 The avoidance of dead ends is essential for further development on current code too. Hence it is mandatory to refactor the existing code base sooner or later. Most important is the intention to modularize it, as modularity improves many quality properties, eases further development, and essentially improves security. | 733 The avoidance of dead ends is essential for further development on current code, too. Hence it is mandatory to refactor the existing code base sooner or later. Most important is the intention to modularize it, as modularity improves many quality properties, eases further development, and essentially improves security. |
| 734 | 734 |
| 735 One example how modular structure makes it easy to add further functionality is described by \person{Sill}: He says that integrating the \name{amavis} filter framework into the \qmail\ system can be done by simply renaming the \path{qmail-queue} module to \path{qmail-queue-real} and renaming the \path{amavis} executable to \path{qmail-queue} \cite[section~12.7.1]{sill02}. Nothing more in the \qmail\ system needs to be changed. This is a very admirable ability which is only possible in a modular system that consists of independent executables. | 735 One example how modular structure makes it easy to add further functionality is described by \person{Sill}: He says that integrating the \name{amavis} filter framework into the \qmail\ system can be done by simply renaming the \path{qmail-queue} module to \path{qmail-queue-real} and renaming the \path{amavis} executable to \path{qmail-queue} \cite[section~12.7.1]{sill02}. Nothing more in the \qmail\ system needs to be changed. This is a very admirable ability which is only possible in a modular system that consists of independent executables. |
| 736 \index{modularity} | 736 \index{modularity} |
| 737 | 737 |
| 738 This thesis showed several times that modularity is a key property for good software design. Modularity can hardly be retrofitted into software, hence development on base of current code will need a throughout restructuring too, to modularize the source code. Thus a new design is similar to such a throughout refactoring, except the dependence on current code. | 738 This thesis showed several times that modularity is a key property for good software design. Modularity can hardly be retrofitted into software, hence development on base of current code will need a throughout restructuring too, to modularize the source code. Thus a new design is similar to such a throughout refactoring, except the dependence on current code. |