-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Apr 16, 2008, at 12:21 AM, Jim Popovitch wrote:
I really am faced with only two choices. Commit my fixes to the publicly available source tree so they can be exposed and tested in a wide variety of environments during the beta release phase, which process necessarily also exposes the vulnerabilities that they fix to the world, or sit on my patches and release them untested by others
in the final release.I can appreciate the significance of that situation. I don't know that I have a solution other than to ask what does ClamAV or SpamAssassin do in similar situations? I believe I shepherded the idea, some time ago, of the need for a closed Mailman security team of both developers and involved site administrators. I would say if a proven trusted group of Mailman site administrators privately discussed and tested a security fix, then I would have no problem with fixes being committed and released at once. Although a "heads up!" would be nice too. ;-)
We have such a closed list, currently consisting of Mark, Tokio and
myself. It's who you get when you contact mailman-
security@python.org. More volunteers would probably be welcome,
especially if they were devoted to lending the additional help you
describe above. Note too that we don't work in a vacuum. Very often
we're working with vendor-sec to address security issues in a
responsible and coordinated way.
[1]Patches for CVE-2008-0564 were made available to those who asked, and a google search will show that some distros have been patched, although Ubuntu for example <https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/199338> calls it "low" importance.
Well, I gave up running Ubuntu on servers (although I still do on my laptop) specifically because I didn't like there approach to things like having NetworkManager installed/enabled by default on a Server install. ;-)
BTW, it's not our responsibility to do anything other than patch the
Mailman source distribution. We'll work with vendors of course, but
it's really up to them to decide which patches to incorporate and and
how to distribute. If you don't want to run from source, you have to
trust your distro vendor to do the right thing.
Fortunately now, you have another option. You could track changes to
the master Bazaar repositories using your own branches. Then you can
decide which of our changes to cherry pick into your own running
servers, and easily merge in your own customization. Nobody's doing
it this way yet afaik, but I think it would work quite well for some
sites.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkgGiu8ACgkQ2YZpQepbvXGSUQCeIHdAwKEnUvVJc69B97/2gNgp GVwAn3bqBbCiXYZ0JxgRkvfUZNUSSvrQ =7rg6 -----END PGP SIGNATURE-----