Description

Since we have a new release coming up, I figured I'd look into bumping our manually installed software.

• Updates:
  • Rspamd 3.8.4 => 3.11.0 (implicit as no version pinning)
  • fts-xapian 1.7.13 => 1.9.0
    • NOTE: The maintainer didn't tag the release with proper semver, hence change to 1.9 is correct
    • Previously 1.7.12 (DMS v14), updated to 1.7.13 (#4095)
  • jaq 2.0.0 => 2.1.0
    • Previously 1.3.0 (DMS v14), updated to 2.0.0 (#4190)
  • Dovecot CE 2.3.x (invalid for Debian 12) => 2.4.x (potentially incompatible, but isn't broken at build time like current 2.3 series for Debian Bookworm is)
• Revised comments and logs for consistency + improved context.
• Dovecot + Rspamd repo adding + package install now consistent.

  • Prior images of DMS will now fail to build from the Dovecot CE repo as the GPG key no longer exists and returns 404 (no redirect), instead a -2.3 or -2.4 suffix is required. The repo info page also changed from gpg --import / gpg --export to using gpg --dearmor like Rspamd does.

  • http:// => https:// for rspamd's repo (this isn't required, Debian configures it's own repo URLs with plain HTTP)

  • upstream- prefix used for GPG keys we create. Purely cosmetic for grouping.

  • /etc/apt/trusted.gpg.d => /usr/share/keyrings is where keys should be stored now (Debian has keys here already), more info:

    Adding a key to /etc/apt/trusted.gpg.d is insecure because it adds the key for all repositories. This is exactly why apt-key had to be deprecated.

    Once a future release of Debian provides a newer release of apt (DMS edge currently has apt 2.6.1) we can automate conversion of the current .list files created to DEB822 .sources (Debian 12 already has this format, but .list remains compatible for the time being), which will allow for the terser .list format:

    Since apt 2.9.24 (released January 2025), you can run apt modernize-sources to automatically migrate all your .list files to DEB822

Other services not yet bumped

I've requested Fail2Ban to push out a new release. There appears to be some changes / fixes for mail related software, the commit history is a bit messy but the changelog seems to represent most of it at a glance.

I thought we were still pulling in getmail6 from an external source rather than a debian package (6.18.11-2), as I had wanted to bump it (may need to wait until Debian 13 then). Getmail from 6.19.0 adds the mark_read option, which allows for matching Fetchmail behaviour to mark retrieved mail with \Seen. That's presently a difference I have noticed between the two services.

Lack of version pinning

Rspamd's repo seems to only carry one version, making it unreliable for building past images of DMS since we cannot pin the package by version if the package gets removed.

# This shows that each repo is only offering 1 package each:
# bookworm (stable) + rspamd (unknown)
# Normally if a repo carries multiple packages we'd get the full list via `-a`
$ apt list -aqq rspamd
rspamd/unknown 3.11.0-1~90a175b45~bookworm amd64
rspamd/stable 3.4-1 amd64

# For additional clarity, this similar command will detail the source repo URL:
# NOTE: This is run from a debian:12-slim container instead of DMS, hence no rspamd installed
$ apt-cache policy rspamd
rspamd:
  Installed: (none)
  Candidate: 3.11.0-1~90a175b45~bookworm
  Version table:
     3.11.0-1~90a175b45~bookworm 500
        500 https://rspamd.com/apt-stable bookworm/main amd64 Packages
     3.4-1 500
        500 http://deb.debian.org/debian bookworm/main amd64 Packages

The Dovecot repo appears to be the same with version specific repos and a latest variant. An example of a multi-version deb repo is Caddy via Cloudsmith.

Type of change

• Improvement (non-breaking change that does improve existing functionality)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• New and existing unit tests pass locally with my changes
• I have added information about changes made in this PR to CHANGELOG.md