[Mailman-Users] security heads up - path traversal with 2.1.5

Chuq Von Rospach chuqui at plaidworks.com
Thu Feb 10 17:48:23 CET 2005

If you own a business, and your customers start telling your employees 
when to take coffee breaks, would that upset you?

that's the same issue as when users decide when to make announcements 
about mailman without consulting Barry. It's Barry's call.

A lot of this comes down to the issue of people "trying to help". 
Everyone means well -- but there's a big difference between "trying to 
help" and "helping". What happened here made things WORSE for the 
community at large, not better, and caused a fair bit of hassle for the 
prime developers who had to scramble when what they'd been planning to 
do got torpedoed. That is NOT HELPING, no matter what the intent.

If you want to help, find the people you're trying to help and ask "how 
can I help?". Don't decide for yourself what needs to be done, ask. 
Because chances are, you're going to get in the way of things already 
going on and slow it down or mess it up.

This whole argument could have been avoided if the original poster, 
instead of posting it to the list, had emailed Barry and said "Hey,  
Barry, have you heard of this? what's up?" -- and Barry would have told 
him the announcement was coming and life would have been good. 30 
seconds of thinking, and asking a simple question. (in fact, that's 
exactly what I did when I got wind of the problem, and once it was 
clear Barry was already briefed and working on it, I shut up and stayed 
out of his way).

At about this point in the argument, I usually get accused of pissing 
off people who want to help and discouraging them from getting 
involved. This isn't true, but it seems to make people feel better and 
saves them from admitting they made a (well meaning) mistake. What I'm 
trying to do is get people to understand that it's not just important 
to WANT to help and Do Things, but to make sure what you're doing 
actually makes things better and moves things forward. Otherwise, 
you're just wasting that energy and time you just spent, and likely 
wasted time and energy of others as well.

there's a right way and a wrong way to help. "well meaning" doesn't 
make it right, it makes it "well meaning". The right thing to do here 
is to go to the developers and ask what you can do to help, not just 
decide you're in charge and you know better than the folks who actually 
do the work.

On Feb 10, 2005, at 8:31 AM, Kai Schaetzl wrote:

> I really don't see any sense in insisting that informing about it here 
> and
> pointing to the source makes anyone more unsafe.

More information about the Mailman-Users mailing list