[Mailman-Users] any info on this reported exploit?
Brad Knowles
brad at stop.mail-abuse.org
Fri Jan 27 10:52:22 CET 2006
At 1:00 AM -0500 2006-01-27, Jim Popovitch wrote:
> I'm pretty sure that the
> "insiders" fix their systems first, then tell the rest of us about the
> patch, probably at the last minute possible.
The "insiders" here are people like Barry, Tokio, and Mark. I
can't speak for what they do on their personal systems, but my
recollection is that python.org wasn't updated until the patch was
publicly available. And even I don't have access to their internal
discussions regarding such matters.
So, you're no worse off than I am.
> I challenge everyone on
> mailman-secure (or whatever list it is) to NOT touch your public
> Mailman systems until you notify mailman-users of the solution to the
> next vulnerability. Deal?
They do have to do their development somewhere, right? I mean,
you give them that much, I hope. And they do need to do at least
some minimal testing on a live production system before they release
that to the public, right? I mean, you wouldn't want to try using
something that had never been tested anywhere, would you?
There is a QA process that such patches need to go through, even
if we're talking about a bug that is being currently being exploited
widely.
In fact, the more it's being exploited, and the more dangerous it
is, I think the more testing needs to be done to make sure that it's
caught and completely dealt with, and there aren't any unintended
consequences.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Mailman-Users
mailing list