[Mailman-Users] Mailman 2.1.10rc1 has been released
Jim Popovitch
yahoo at jimpop.com
Thu Apr 17 06:16:54 CEST 2008
On Thu, Apr 17, 2008 at 12:07 AM, Stephen J. Turnbull
<stephen at xemacs.org> wrote:
> Barry Warsaw writes:
>
> > BTW, it's not our responsibility to do anything other than patch the
> > Mailman source distribution.
>
> I think you've missed at least part of Jim's point ...
>
>
> > Then you can decide which of our changes to cherry pick into your
> > own running servers, and easily merge in your own customization.
>
> Ayup, I do think you did. Over his boss's dead body he will ....
>
> The two points he wants, I think, are
>
> (1) the certification that comes with an Official Release, and
>
> (2) Minimal Change (addressing *only* the security issues) from the
> current Official Stable Release. Maybe even a patch for the previous
> O.S.R., since many people give a release a bit of time to shake down.
>
> *How* those changes get into his installation are (at this point) a
> secondary concern.
>
> Jim?
Correct. Security fixes should be minimal and quick, needing very
little effort/attention by end users (i.e. Mailman operators). I
would be very trusting and very happy if things like XSS and remote
exploits were handled outside of CVS/SVN, then tested by a core group
of operators to make sure the fixes didn't break other things. And
then (same day) commits to CVS/SVN and source releases to the market.
2.1.10.rc1 appears to be more than security fixes, and as such is
held up by language dependencies and other standard release issues.
I think the process needs to change and have security issues handled
outside of normal releases.
And for the record, I would be very willing to help out (i have python
skils), but $DAYJOB legally prevents me from pretty much actively
getting involved. Further, if I did contribute code, it could open
Mailman up to legal issues. But, testing, etc, are ok because they
are not IP related.
-Jim P.
More information about the Mailman-Users
mailing list