[Mailman-Users] any info on this reported exploit?

Jim Popovitch jimpop at yahoo.com
Sat Jan 28 16:31:22 CET 2006

Brad Knowles wrote:
>     But on Monday, they may not know how long it will take them to 
> create a patch.  It might turn out to be a simple matter that can be 
> fixed by Tuesday morning, or it might be complex and take weeks or months.
>     But when they make that initial announcement, assuming no one else 
> has posted something to some other mailing list, they're basically 
> firing the starter's pistol for the blackhats to race to locate the bug 
> and start exploiting it before a patch can be issued.

But now, you really don't know that, do you?  People are fooling 
themselves when you think that the blackhats don't already know about 
issues like this.  We don't know what they know, so adopting a 
head-in-the-sand mentality only really inhibits the user base.

>     I think they need to hold off a little while longer on making that 
> initial announcement, at least until they know enough about the problem 
> to have a good idea how long it's going to take to create the patch, how 
> widespread the problem is, what the overall risk is, etc....

OK, that's fair.  But do you think they need to hold off entirely up 
until the point they have a patch pushed to *.dl.sf.net?

>     In the case of the most recent issue, Tokio apparently felt that it 
> was a reasonably low-risk item and he fixed the bug (along with a number 
> of other problems) during the normal release cycle.  It wasn't until 
> others came along and decided to call this a potential DoS attack that 
> people like you started screaming.

Listen, nobody expects Tokio to be perfect.  If people hadn't started 
making some noise most of us wouldn't know there is a pending patch. 
Yet we still haven't broken any code-of-silence, nor have we aided any 

>     I don't think a last minute announcement is a good idea, but then I 
> also don't think it's a good idea to run around like Chicken Little 
> screaming that the sky is falling every time something comes up and 
> before we've had enough time to look into the issue, gauge the potential 
> risk and how many people might be affected, and have a decent idea of 
> how long it's going to take to create a patch.

Fair enough.

>     I think we need to compromise somewhere in the middle, and I think 
> we have to trust the Mailman developers to do that.

Agreed.  I would only add that we need to encourage them to do this as 
part of their fix-test-release process.  I can't recall them ever giving 
advance notice or recommendations.  The only ones I recall are when a 
user has publicly raised the issue and one of the developers have come 
forward and recommended tweaks to private.py and/or Cleanse.py.

>>  My thoughts exactly.  I trust them to do the work and produce a fix.
>>  Again, all I am advocating is that if they are spending 6 days on a fix,
>>  don't wait until the 7th day to fill us in.  Let us know up front that
>>  they are working a possible fix that may need to be applied.  Where's
>>  the harm in that?
>     In most cases, when you're developing a fix for some bug, you may 
> know that you've spent six days so far on the problem, but you may not 
> have much of an idea of how much longer it's going to take you.
>     If you make the seven day announcement one day into a problem that 
> actually takes you a month, explain to me how this is a good thing?

It's a good thing because it keeps your users in-the-know.  Again, 
nobody is expecting perfection, just info.  If you don't know how long 
it will take, don't say 7 days.  Just say "I don't know, we are working 
on it".  At least then users will know something is up.  After that if 2 
weeks go by without a patch users can start some Q&A to possibly keep 
things going.

>>  Again, you mis-understand my interests.  I don't want info on the hack,
>>  I want a "heads-up" that <unidentified> fix is in the pipe and sysadmins
>>  can expect it late Friday (or whenever).  Again, how is that so 
>> egregious?
>     And I think you misunderstand the development process.  Many times 
> you don't know how long it's going to take you until you've done it.

I think you don't understand project management and process tracking. 
;-)  Again, nobody is screaming for miracles, just some info.  Don't 
keep everyone in the dark just because you think nobody knows about this 
or that yet.

-Jim P.

More information about the Mailman-Users mailing list