[Mailman-Developers] before next release: disable backscatter in default installation

[Barry Warsaw]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mar 24, 2008, at 9:37 PM, Jo Rhett wrote:
> On Mar 4, 2008, at 6:00 PM, Stephen J. Turnbull wrote:
>> In any case, it's hard to sympathize with your claim of urgency.
>> Mark's intention to release 2.1.10 has been known for many months.
>> This proposal comes on the eve of release.  Code changes to implement
>> it can, and should, wait for the next release.
>
> What?  I'm sorry, but Mailman has been blamed for backscatter for
> like 3 years going now.  This problem has been well known for long
> before 2.1.10 was even dreamed of.  I am asking that the developers
> start paying attention *NOW*.
>
> If the problems aren't going to be solved before 2.2, then we're
> going to put Mailman in the same bin as qmail and say that using it
> is a violation of the AUP.

Now that there's documentation, I don't think you need to be that  
severe.  Not everybody needs or wants this particular behavior.  Those  
that do should now have the information at their fingertips.  If  
downstream distributions want to change the defaults they are free to  
do so.

This simply cannot be changed in Mailman 2.1.  For one thing, it's a  
major feature change, not a security fix.  A security problem would be  
something like a cross-site scripting vulnerability or remote root  
exploit.  For another, pushing back 2.1.10 guarantees that 2.2 will be  
delayed because of the extra q/a that needs to happen, etc.  This  
isn't a trivial change and we have limited resources.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQCVAwUBR+lnaXEjvBPtnXfVAQKXCwQAk6y1e4juyw4DAh6XIoYzKdSFzZ4/2h9U
3Ql6dfeU14niMIpJPYlf3qKTECu5aI21q+yAlT8t4yud48aAAgqTMkGPWMQ93T8A
OZ8YWUhxMypzkxYIyR/X/W/n3rhthdPY3Y6a13F5NhlATEPwQXuXaIwxaN/m7FSC
HxTNcT69OrU=
=aWxK
-----END PGP SIGNATURE-----