[Mailman-Users] Mailman 2.1.10rc1 has been released

Mark Sapiro mark at msapiro.net
Wed Apr 16 05:04:12 CEST 2008


Jim Popovitch wrote:
>
>Fair enough.  Where's the release then?
>
>Look, I know you folks are working hard on this, and I certainly don't
>dis-respect that.  HOWEVER, the process flow needs some re-thinking.
>You should not publicly release security vulnerability details before
>fixes are identified for current versions.   I can't imagine that you
>don't already know that.


I appreciate your view Jim, and I was remis in not making patches for
2.1.9 publicly announced and available[1], however, if you don't trust
my 2.1.10 beta or rc release to be stable enough for production use,
why would you think my patches for 2.1.9 would be any better?

I really am faced with only two choices. Commit my fixes to the
publicly available source tree so they can be exposed and tested in a
wide variety of environments during the beta release phase, which
process necessarily also exposes the vulnerabilities that they fix to
the world, or sit on my patches and release them untested by others in
the final release.


[1]Patches for CVE-2008-0564 were made available to those who asked,
and a google search will show that some distros have been patched,
although Ubuntu for example
<https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/199338> calls
it "low" importance.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan



More information about the Mailman-Users mailing list