[Mailman-Users] any info on this reported exploit?

Jim Popovitch jimpop at yahoo.com
Sun Jan 29 22:10:18 CET 2006

Brad Knowles wrote:
> At 2:11 PM -0500 2006-01-28, Jim Popovitch wrote:
>>  The whole reason for me waxing so passionately on this thread is the
>>  earlier suggestion that Diana shouldn't have even emailed mailman-users,
>>  but rather mailman-security and kept it quiet thereafter (this after it
>>  was already released over at securityfocus.com).
>     Correct.  See FAQ 1.27.  That is the official Security Policy of 
> this mailing list, and that information is included in the footer of 
> every single mail message which passes through this list.

But, Diana wasn't emailing sensitive info.  She was asking a very 
important question about something that was already public.  You then 
told her that she should have gone to the secret-handshake club.  Are 
you suggesting that all "Hey, has this been fixed yet" questions should 
be off list and only one-on-one with mailman-security?

>     In this case, no harm was done, since the bug had already been 
> "fixed" through the work that Tokio had done in creating the next 
> release of the code, and the real problem was the disconnect in what we 
> were calling the bug and what they were calling it.  But the potential 
> was certainly there.
>     But if you can't adhere to the official Security Policy of this 
> mailing list, then you shouldn't be posting here, and you shouldn't be 
> subscribed.

er, Right.... (the elitism really shines through Brad).

-Jim P.

More information about the Mailman-Users mailing list