[Mailman-Users] Mailman 2.1.10rc1 has been released

Wed Apr 16 06:21:46 CEST 2008

On Tue, Apr 15, 2008 at 11:04 PM, Mark Sapiro <mark at msapiro.net> wrote:
>  I appreciate your view Jim, and I was remis in not making patches for
>  2.1.9 publicly announced and available[1], however, if you don't trust
>  my 2.1.10 beta or rc release to be stable enough for production use,
>  why would you think my patches for 2.1.9 would be any better?

That's a very interesting, and good, question.  From my point of view,
which may be different from others, it depends on the situation and
need for patching.   For instance, there is more than "./configure"
and "make install" involved in a complex setup.  Additionally, I have
local patches for things that my sites need.   Setting all that up
takes time, and (in a normal day) if there is soon to be another
release I have to pause and judge whether my time is best spent on RC1
or the Final build.  NOTE:  I, like most reading this, would devote
much greater attention if there was a appearance of urgent need to
test specific fixes.  For the most part 2.1.10 (to me) appeared to be
some behind the scenes XSS fixes and nothing more.  So, assuming
Development had it under control (and by all accounts they did), why
would I spend 1 weekend setting up and testing RC1 when the Final
would be out in 2 weeks and I would have to do all that effort again?
 Now if 2.1.10 was a code fix release for dying processes, and if my
Mailman systems were experiencing dying processes, then my desire to
test early and often would be driven by my desire to have a stable
install (even at the RC level).  However Mailman 2.1.9  has been very
stable for me (THANK YOU) and so I don't know that I have anything to
test in the RC that I won't be testing for in the Final.  Hidden in
that text is the admission that I trust you (Mark, Barry, etc.) to
release 2.1.10 with as few of changes from 2.1.9 as necessary.   If
2.1.10 were a complete re-write, then obviously my thoughts on this
would be different.  For the record, Mark, I would always be willing
to at least look at future patches and give you a reasoned response as
to whether I could even test it or not.

>  I really am faced with only two choices. Commit my fixes to the
>  publicly available source tree so they can be exposed and tested in a
>  wide variety of environments during the beta release phase, which
>  process necessarily also exposes the vulnerabilities that they fix to
>  the world, or sit on my patches and release them untested by others in
>  the final release.

I can appreciate the significance of that situation.  I don't know
that I have a solution other than to ask what does ClamAV or
SpamAssassin do in similar situations?   I believe I shepherded the
idea, some time ago, of the need for a closed Mailman security team of
both developers and involved site administrators.   I would say if a
proven trusted group of Mailman site administrators privately
discussed and tested a security fix, then I would have no problem with
fixes being committed and released at once.  Although a "heads up!"
would be nice too. ;-)

>  [1]Patches for CVE-2008-0564 were made available to those who asked,
>  and a google search will show that some distros have been patched,
>  although Ubuntu for example
>  <https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/199338> calls
>  it "low" importance.

Well, I gave up running Ubuntu on servers (although I still do on my
laptop) specifically because I didn't like there approach to things
like having NetworkManager installed/enabled by default on a Server
install. ;-)

-Jim P.