[Mailman-Users] security heads up - path traversal with 2.1.5
Chuq Von Rospach
chuqui at plaidworks.com
Thu Feb 10 17:48:23 CET 2005
If you own a business, and your customers start telling your employees
when to take coffee breaks, would that upset you?
that's the same issue as when users decide when to make announcements
about mailman without consulting Barry. It's Barry's call.
A lot of this comes down to the issue of people "trying to help".
Everyone means well -- but there's a big difference between "trying to
help" and "helping". What happened here made things WORSE for the
community at large, not better, and caused a fair bit of hassle for the
prime developers who had to scramble when what they'd been planning to
do got torpedoed. That is NOT HELPING, no matter what the intent.
If you want to help, find the people you're trying to help and ask "how
can I help?". Don't decide for yourself what needs to be done, ask.
Because chances are, you're going to get in the way of things already
going on and slow it down or mess it up.
This whole argument could have been avoided if the original poster,
instead of posting it to the list, had emailed Barry and said "Hey,
Barry, have you heard of this? what's up?" -- and Barry would have told
him the announcement was coming and life would have been good. 30
seconds of thinking, and asking a simple question. (in fact, that's
exactly what I did when I got wind of the problem, and once it was
clear Barry was already briefed and working on it, I shut up and stayed
out of his way).
At about this point in the argument, I usually get accused of pissing
off people who want to help and discouraging them from getting
involved. This isn't true, but it seems to make people feel better and
saves them from admitting they made a (well meaning) mistake. What I'm
trying to do is get people to understand that it's not just important
to WANT to help and Do Things, but to make sure what you're doing
actually makes things better and moves things forward. Otherwise,
you're just wasting that energy and time you just spent, and likely
wasted time and energy of others as well.
there's a right way and a wrong way to help. "well meaning" doesn't
make it right, it makes it "well meaning". The right thing to do here
is to go to the developers and ask what you can do to help, not just
decide you're in charge and you know better than the folks who actually
do the work.
On Feb 10, 2005, at 8:31 AM, Kai Schaetzl wrote:
> I really don't see any sense in insisting that informing about it here
> and
> pointing to the source makes anyone more unsafe.
More information about the Mailman-Users
mailing list