[Mailman-Developers] Handling potential security bugs
Terri Oda
terri at zone12.com
Wed Dec 22 17:17:58 CET 2004
On Dec 22, 2004, at 5:40 AM, Florian Weimer wrote:
> Shall I post them to this mailing list, and notify full-disclosure &c
> at the same time? (Terri will prove that these two bugs are
> non-issues as well, and propose to defer fixing them to 3.0 anyway, so
> I doubt that I private discussion would get us anywhere.)
Hey! I wasn't trying to say that they're a non-issue. It's just that
I think if we want to make claims of security, we should probably fix
more than what you suggested and make it more clear to users what
attack vectors there are. If we're talking about larger architectural
changes to make things better, then such a fix would naturally fall
into 3.0, where it could be done properly.
However, if users already have this expectation of security, then
you're right, it makes sense to try to meet it as soon as possible. To
be honest, I've encountered really few users who thought mailman
archives were secure (I think I've encountered one in the years I've
been working with mailman) so I was assuming this was a known flaw to
most users.
More information about the Mailman-Developers
mailing list