[Mailman-Users] any info on this reported exploit?

Brad Knowles brad at stop.mail-abuse.org
Mon Jan 30 11:46:18 CET 2006

At 10:11 PM -0500 2006-01-29, Jim Popovitch quoted Stephen J. Turnbull:

>>  And if three people ask on mailman-security?  There's a short post to
>>  mailman-users, and it ends up in the faq, because it's a PITA for the
>>  developers to keep answering it.
>>  What's wrong with that?
>  Nothing, assuming:
>     A) Makes it into the FAQ in a timely fashion for it to benefit site
>  admins

	Which it will do -- see Stephen's note above.

>     B) There is some means to notify site admins so that they don't
>  have to parse through mailman-users to get info on security issues.

	We've tried to be good about making important announcements to 
the mailman-announce mailing list, but I see that we haven't posted 
anything there in a few months.  I grant you that we could be better 
about making announcements.

>  I've been subscribed to mailman-announce for 5+ years.  I don't
>  recall ever seeing anything such as: "FAQ XYZ has been updated", let
>  alone info on potential vulnerabilities that I should be aware of.

	If you're asking to be notified every time there is a FAQ update, 
then you have absolutely no clue whatsoever what you're asking for -- 
you have no clue how many times in an hour that I will edit or 
re-edit the same FAQ entry, trying to get the language just right. 
You have no clue how many times per day that I will create multiple 
FAQ entries, or clean up places where people were stupid and asked 
questions in the FAQ because the FAQ frequently uses a 
question-and-answer format, and they thought that if they asked a 
question there that it would be magically answered by someone.  And 
I'm just one person.

	We could be better about making announcements to 
mailman-announce, I will grant you that.

>  And that is good.  Diana's case doesn't seem to meet that measure, yet
>  that is the advice Brad gave her.

	She was asking a question regarding the security of Mailman, and 
she should have followed the instructions in FAQ 1.27.

>                                     Was that an attempt to suppress this
>  info from other site admins?

	Is your continuous harping on this obvious nonsensical question 
an attempt to drive away all other subscribers to this mailing list?

>  And how does that apply to Diana's question?  Clearly she was inquiring
>  about a fixed issue, right?  If not, shouldn't the answer given to her
>  also be seen by others in similar situations?

	She didn't know the issue was fixed until she asked the question. 
Therefore, she should have followed proper procedure, as outlined in 
FAQ 1.27.

	When you pick up a gun, do you pull the trigger before you check 
to see whether or not it is loaded?  If so, would you allow others to 
follow that procedure when aiming those guns at your head?

>  Well it seems to there are two extremes in the Mailman group of
>  interested folks.  Those that want to know everything, but don't want
>  anyone else to know it.

	And now we see just how self-delusional you really are.  That's 
just a total load of bullshit.

	This is an open-source project.  It is our goal to share the 
software and all associated information as widely as possible.  We 
have regular jobs, and we go out of our way to volunteer time for 
this project, as opposed to doing something else with our free time. 
And this is how we get abused?

	In this case, all we ask is that if people have security-related 
questions, they should follow the proper procedures -- as outlined in 
FAQ 1.27.  In turn, we will do everything we can to get important 
version and security information out to the broadest possible user 

	And we might be inclined to improve our communications to the 
community if paranoid delusional types (e.g., you) would stop 
browbeating us every five minutes for not having already fixed and 
announced all security issues within the last five minutes.

	Or will the beatings from you continue until our morale improves?

>  There is more to Mailman than just users and developers.  There are
>  those that are responsible for Mailman systems but they aren't the
>  day-to-day admins of the mailing lists.  I think it is totally
>  irresponsible to expect that site admins find out on their own if there
>  are insecurities in the sites they run.  If I am running a Mailman 2.1.6
>  site, I expect to be informed of vulnerabilities and security concerns
>  sometime before 2.1.7 is fully released, not just have to read it in the
>  CHANGES file of 2.1.7.

	So, now you're insisting that we require everyone to register a 
valid working e-mail address with us before they're allowed to 
install Mailman, just so that we can make sure that we force-feed 
them every single brainwave that Barry, Tokio, Mark, or anyone else 
ever has?

	I'm sorry, if you're running Mailman 2.1.6 and you want to be 
informed of issues regarding the software you're running, then you're 
going to have to do a little work of your own.  You're going to have 
to subscribe to the appropriate mailing lists, you're going to have 
to periodically check the FAQ (and other documentation), and you 
should also be actively participating in the community discussions.

	If you want more than that, then you can go find a commercial 
product and pay them to provide what you're looking for.

	This is an open-source project, and we have some limitations on 
our resources.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the Mailman-Users mailing list