On Dec 22, 2004, at 5:40 AM, Florian Weimer wrote:
Shall I post them to this mailing list, and notify full-disclosure &c at the same time? (Terri will prove that these two bugs are non-issues as well, and propose to defer fixing them to 3.0 anyway, so I doubt that I private discussion would get us anywhere.)
Hey! I wasn't trying to say that they're a non-issue. It's just that I think if we want to make claims of security, we should probably fix more than what you suggested and make it more clear to users what attack vectors there are. If we're talking about larger architectural changes to make things better, then such a fix would naturally fall into 3.0, where it could be done properly.
However, if users already have this expectation of security, then you're right, it makes sense to try to meet it as soon as possible. To be honest, I've encountered really few users who thought mailman archives were secure (I think I've encountered one in the years I've been working with mailman) so I was assuming this was a known flaw to most users.