[Mailman-Users] any info on this reported exploit?

Stephen J. Turnbull stephen at xemacs.org
Mon Jan 30 09:12:50 CET 2006

>>>>> "Jim" == Jim Popovitch <jimpop at yahoo.com> writes:

    Jim> BTW, just who are the members of mailman-security?

It's a self-selecting group, though not a terribly secret one; I
believe the membership of that list has been described, if not
explicitly listed, in the past.  But I know Barry well enough to trust
him for this purpose, and that's good enough for me.  Others must make
their own decisions, of course, and my opinion may or may not be
relevant to such decisions for any given person.

    Jim> Well it seems to there are two extremes in the Mailman group
    Jim> of interested folks.  Those that want to know everything, but
    Jim> don't want anyone else to know it.

"Everything"?  That's curious thing to say about people active in an
open source software project, even as an exaggeration.  I think you
have long since let your temper get the better of you!  Now, it has
been said several times (in other words) that those who advocate this
policy dislike it for much the same reasons you do, but also believe
that the one you propose is worse.  Do you disbelieve that?

The statement I (an outsider who observed the discussions that led up
to publication of the FAQ) consider accurate is that those who
drafted the security policy tried to balance their desire to release
*all* information related to Mailman to all who will not use that
information to harm others, with their desire to provide as little
information as possible to those who would use it for irresponsible or
hostile purposes.

    Jim> I think it is totally irresponsible to expect that site
    Jim> admins find out on their own if there are insecurities in the
    Jim> sites they run.

Without accepting that as an accurate characterization of the current
policy, let me say: Good for you!  Take some responsibility for what
you consider to be a problem, then.

Design a system to meet the goals of the security policy and the goal
of informing admins as best as possible.  Tell mailman-security about
it.  Deal with their objections and proposed improvements, and
implement it, including getting yourself sufficiently trusted to be
added to mailman-security if required for your proposal, and
coordinating the announcements (ie, writing the announcement and
getting the approvals from the developers who understand the security
implications of the information to be released, then posting it).
Alternatively, round up one or more volunteers to do the on-going

Don't ask me to do any of it, though.  Sounds like a lot of work,
which I consider unnecessary.

    Jim> If I am running a Mailman 2.1.6 site, I expect

"There you go again!"  I gather you still haven't read Paragraph 11 of
the License under which you received Mailman.

Note that that Paragraph does not say that the developers of Mailman
do not care about these issues.  It says that they will care about
them in the way that they see fit, and you have no legal grounds for
complaint, no matter what that is.  If you want to change the way they
deal with these issues, join them and do the work.  (In many cases,
"convince them to do it" is also appropriate, but in this case the
arguments you make have already been made and were found insufficient,
so jawbone is unlikely to be effective.)

School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.

More information about the Mailman-Users mailing list