[Mailman-Users] Handling MM security problems

Carl Zwanzig cpz at tuunq.com
Mon Feb 14 19:35:23 CET 2005

[long post ahead]

This has gone past silly.

I run MM. 
I'm concerned about security holes.
I want to know about holes ASAP. 
I want to make the decision whether they are serious enough to stop all 
  list processing or to ignore.
I don't want someone else making these decisions for me. 

The only way I'll know these things is if a Nice Person(tm) finds the
exploit and tells the people using and maintaining the software. It 
would be great if I can get this info from the MM-user's list, but 
if not, I'll get it somewhere else as surely the Bad Guys(tm) will.

Perhaps there needs to be a MM security discussion list for those of
us that care about it and actually read the code and the FAQs.

Brad wrote:
At 1:24 PM +0100 2005-02-14, Florian Weimer wrote:

>>  You're trying to establish something like ownership of security bugs.
>        No, but Chuq certainly is one of the co-owners of this list, and
> as a co-owner, he is one of the few people who gets to have the right
> of determining what is/is not appropriate conduct on this list.

> If you fail to respect his wishes on this, you do so at your own peril.

That's a rather direct threat, and -it- has no place on any civil list. "At
my own peril?" What is "my peril"? 

>       What people do on other lists is between them and the people who
> own those lists.  What people do on this list is subject to the
> requirements of the core developers.

...which makes it sound like this list is the mailman developer's private
sandbox, and they suffer the presence of the rest of us. May not be intended,
but that's one way to read it.


Brad wrote again:

>At 2:09 PM +0100 2005-02-14, Florian Weimer wrote:
>>  The underlying assumption seems to be that Mailman security bugs can
>>  only be disclosed by posting them on the Mailman lists.

>        We have no more control over what you say or do on other lists
> than any other developer.  Yes, if there is a security bug, we would
> prefer that you come talk to us first, and let us work on getting a
> patch created and the appropriate announcements made, etc....

However, many of us are concerned about security bugs, and not only once
a patch has been created. We want to know when they are discovered. It
this info isn't available here, then we will get it somewhere else, and
will wonder if the MM developers know or care about it.

>        However, when you use our mailing lists, on our servers, to
> discuss our software, I think we have a reasonable expectation that
> you will follow the requirements that we may have regarding what we
> consider to be "responsible conduct", and to comport yourself
> appropriately.

Yes, and we the readers have an expectation that we can discuss all 
aspects of the software & its usage.

>As a general rule, if you have questions regarding sensitive security issues, 
>you can post them to mailman-cabal at python.org, which is a closed distribution

Unless the -cabel members include the original poster in their discussion,
there is little utility for us unwashed folks to post to that list. It 
becomes a black hole. See below.

>Even if the issue has been publicly discussed in other forums, you should 
>wait for the official announcements before discussing them publicly, whether 
>on mailman-users, mailman-developers, or elsewhere.

And -that- is telling us what to do elsewhere, which doesn't square with
statements above and with industry practice. [1][2]


>I'm not establishing ownership of security bugs. i'm trying to
>establish the protocol for how that information is WIDELY distributed.
>it broke the standard protocols we use in these cases (some of us have
>been involved in security for a while, unlike the amateurs), and now,
>the people who did it are insisting the protocols worked out over the
>years are wrong, because they don't like them.

** What are these protocols? Tell the cabel and see if they react? Seems
awfully dicey.

>So excuse me if I'm grumpy. I think I'm entitled. Not as much as Barry
>is, but he's far too polite to try to get people to behave. that's my
>job around here.

I'm also getting a little grumpy because the discussion has moved from a
civil discussion of "please don't to that, here's why" level to a do that
"at your peril" level.

I'll climb out a limb and suggest what I just asked chuq:

If you find a security problem, please tell the cabal. We'll get back to
you within 12 hours. If we do, please don't post this directly to the 
MM-users list. If we don't say anything, in the interest of protecting 
sites using MM, publicly identify the problem. Please don't publish your 
own patches unless the problem is so bad that it compromises the operation 
of entire servers. If you do have a patch, please send it to the MM 
developers, we may use it directly.

How's that?


More information about the Mailman-Users mailing list