Configuring cyrus-imapd for compilation

Patrick Goetz pgoetz at mail.utexas.edu
Wed Mar 13 13:52:00 EDT 2019 

On 3/13/19 11:49 AM, Jason Tibbitts wrote:
 > In general I agree with you, but for a distro the issue
 > generally comes down to dependencies.
 >
 > In Fedora, for example, we split the virus scanning portion out to a
 > separate package, because otherwise cyrus-imapd ends up with a
 > dependency on clamav.  We want to avoid that because not everyone
 > wants to maintain a clamav installation so we put the cyr_virusscan
 > binary and its manpage in a separate subpackage.

Unfortunately that's not a model that works for the Arch Linux AUR.

Basically almost anyone can put out an AUR package (this is one of the 
reasons nearly everything in the linux ecosystem is readily available on 
Arch), but such packages are required to be text files only with 
absolutely no exceptions allowed. Most of the heavy lifting is done by a 
PKGBUILD file, which is essentially a fancy shell script which relies on 
the makepkg utility for interpretation.  The PKGBUILD orchestrates 
downloading, configuring, and compiling software directly from upstream 
sources into a binary pacman package (think of it as Gentoo, but just 
for extra goodies and not the base system).  In cases where only 
binaries are available, the PKGBUILD can download binaries from the 
official upstream source and convert them to an Arch package.  Users are 
encouraged to examine these PKGBUILD files in order to make sure no one 
is attempting to install malware on their systems, but of course most 
don't, and there have been a couple of cases of AUR packages which 
attempted to sneak malware into the AUR.  It's still a pretty good 
bazaar with no actual examples of serious malware deployment to date. 
Enough people do look at the PKGBUILD files, and most convenience 
utilities (e.g. yay or pacaur) try and make you look at the PKGBUILD 
even though they're doing the work for you.

Generally this system works amazingly well, but this is an example where 
it breaks down.  And yes, it's precisely the dependencies which are an 
issue.  I can list the packages found here:
  https://www.cyrusimap.org/imap/developer/compiling.html
as optional dependencies, but down the road someone will attempt to use 
a feature and likely won't run `pacman -Qi` to remind themselves of the 
necessity of these optional dependencies for that feature.  The 
alternative, requiring the installation of all possible dependencies, 
seems unreasonable as well.

The saving grace is perhaps that this is a package aimed at systems 
administrators rather than ordinary users, and as such I might be able 
to get away with setting up an Arch Wiki page explaining what all the 
optional dependencies are.

More information about the Info-cyrus mailing list