[Mailman-Users] any info on this reported exploit?
brad at stop.mail-abuse.org
Mon Jan 30 11:46:18 CET 2006
At 10:11 PM -0500 2006-01-29, Jim Popovitch quoted Stephen J. Turnbull:
>> And if three people ask on mailman-security? There's a short post to
>> mailman-users, and it ends up in the faq, because it's a PITA for the
>> developers to keep answering it.
>> What's wrong with that?
> Nothing, assuming:
> A) Makes it into the FAQ in a timely fashion for it to benefit site
Which it will do -- see Stephen's note above.
> B) There is some means to notify site admins so that they don't
> have to parse through mailman-users to get info on security issues.
We've tried to be good about making important announcements to
the mailman-announce mailing list, but I see that we haven't posted
anything there in a few months. I grant you that we could be better
about making announcements.
> I've been subscribed to mailman-announce for 5+ years. I don't
> recall ever seeing anything such as: "FAQ XYZ has been updated", let
> alone info on potential vulnerabilities that I should be aware of.
If you're asking to be notified every time there is a FAQ update,
then you have absolutely no clue whatsoever what you're asking for --
you have no clue how many times in an hour that I will edit or
re-edit the same FAQ entry, trying to get the language just right.
You have no clue how many times per day that I will create multiple
FAQ entries, or clean up places where people were stupid and asked
questions in the FAQ because the FAQ frequently uses a
question-and-answer format, and they thought that if they asked a
question there that it would be magically answered by someone. And
I'm just one person.
We could be better about making announcements to
mailman-announce, I will grant you that.
> And that is good. Diana's case doesn't seem to meet that measure, yet
> that is the advice Brad gave her.
She was asking a question regarding the security of Mailman, and
she should have followed the instructions in FAQ 1.27.
> Was that an attempt to suppress this
> info from other site admins?
Is your continuous harping on this obvious nonsensical question
an attempt to drive away all other subscribers to this mailing list?
> And how does that apply to Diana's question? Clearly she was inquiring
> about a fixed issue, right? If not, shouldn't the answer given to her
> also be seen by others in similar situations?
She didn't know the issue was fixed until she asked the question.
Therefore, she should have followed proper procedure, as outlined in
When you pick up a gun, do you pull the trigger before you check
to see whether or not it is loaded? If so, would you allow others to
follow that procedure when aiming those guns at your head?
> Well it seems to there are two extremes in the Mailman group of
> interested folks. Those that want to know everything, but don't want
> anyone else to know it.
And now we see just how self-delusional you really are. That's
just a total load of bullshit.
This is an open-source project. It is our goal to share the
software and all associated information as widely as possible. We
have regular jobs, and we go out of our way to volunteer time for
this project, as opposed to doing something else with our free time.
And this is how we get abused?
In this case, all we ask is that if people have security-related
questions, they should follow the proper procedures -- as outlined in
FAQ 1.27. In turn, we will do everything we can to get important
version and security information out to the broadest possible user
And we might be inclined to improve our communications to the
community if paranoid delusional types (e.g., you) would stop
browbeating us every five minutes for not having already fixed and
announced all security issues within the last five minutes.
Or will the beatings from you continue until our morale improves?
> There is more to Mailman than just users and developers. There are
> those that are responsible for Mailman systems but they aren't the
> day-to-day admins of the mailing lists. I think it is totally
> irresponsible to expect that site admins find out on their own if there
> are insecurities in the sites they run. If I am running a Mailman 2.1.6
> site, I expect to be informed of vulnerabilities and security concerns
> sometime before 2.1.7 is fully released, not just have to read it in the
> CHANGES file of 2.1.7.
So, now you're insisting that we require everyone to register a
valid working e-mail address with us before they're allowed to
install Mailman, just so that we can make sure that we force-feed
them every single brainwave that Barry, Tokio, Mark, or anyone else
I'm sorry, if you're running Mailman 2.1.6 and you want to be
informed of issues regarding the software you're running, then you're
going to have to do a little work of your own. You're going to have
to subscribe to the appropriate mailing lists, you're going to have
to periodically check the FAQ (and other documentation), and you
should also be actively participating in the community discussions.
If you want more than that, then you can go find a commercial
product and pay them to provide what you're looking for.
This is an open-source project, and we have some limitations on
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Mailman-Users