[Mailman-Users] Mailman 2.1.10rc1 has been released
brad at shub-internet.org
Thu Apr 17 06:48:58 CEST 2008
On 4/17/08, Jim Popovitch wrote:
> I think the process needs to change and have security issues handled
> outside of normal releases.
Which is what normally happens in the process as it currently exists.
It's just that, in this particular case, this bug wasn't exposed
until an earlier 2.1.10b version was released, and then we fixed this
So, in this case, to get the security fix you need to install the
latest 2.1.10rc (which includes additional functionality), as opposed
to a patch to a previous 2.1.9 version (which would presumably
include just the security fix).
To go down the road you suggest would mean that we'd be responsible
for back-porting all security-only fixes to all previous versions of
Mailman, as a completely separate release tree from the new
Speaking only for myself, this seems to be a significant additional
amount of work, and I think it's unlikely to happen unless we get a
lot more resources on this project. We'd need developers working on
new code, developers working exclusively on security fixes, and a
separate Release Engineer whose sole responsibility is to manage the
process of creating appropriate patch releases as well as sheparding
the new development releases.
FreeBSD can get away with that, because they've got a lot more people
working on the project, and a lot more money supporting those people.
I doubt we're ever going to be in a position to do something like
that ourselves. In this project, most people have to wear multiple
hats, and work on new development, security fixes, and release
engineering, all at the same time.
> And for the record, I would be very willing to help out (i have python
> skils), but $DAYJOB legally prevents me from pretty much actively
> getting involved. Further, if I did contribute code, it could open
> Mailman up to legal issues. But, testing, etc, are ok because they
> are not IP related.
You could take over the Release Engineering job, and manage the two
separate security patch-only releases as well as the new-development
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
More information about the Mailman-Users