[Mailman-Users] Mailman 2.1.10rc1 has been released

Barry Warsaw barry at list.org
Thu Apr 17 01:25:34 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Apr 16, 2008, at 12:21 AM, Jim Popovitch wrote:
>
>> I really am faced with only two choices. Commit my fixes to the
>> publicly available source tree so they can be exposed and tested in a
>> wide variety of environments during the beta release phase, which
>> process necessarily also exposes the vulnerabilities that they fix to
>> the world, or sit on my patches and release them untested by others  
>> in
>> the final release.
>
> I can appreciate the significance of that situation.  I don't know
> that I have a solution other than to ask what does ClamAV or
> SpamAssassin do in similar situations?   I believe I shepherded the
> idea, some time ago, of the need for a closed Mailman security team of
> both developers and involved site administrators.   I would say if a
> proven trusted group of Mailman site administrators privately
> discussed and tested a security fix, then I would have no problem with
> fixes being committed and released at once.  Although a "heads up!"
> would be nice too. ;-)

We have such a closed list, currently consisting of Mark, Tokio and  
myself.  It's who you get when you contact mailman- 
security at python.org.  More volunteers would probably be welcome,  
especially if they were devoted to lending the additional help you  
describe above.  Note too that we don't work in a vacuum.  Very often  
we're working with vendor-sec to address security issues in a  
responsible and coordinated way.

>> [1]Patches for CVE-2008-0564 were made available to those who asked,
>> and a google search will show that some distros have been patched,
>> although Ubuntu for example
>> <https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/199338> calls
>> it "low" importance.
>
> Well, I gave up running Ubuntu on servers (although I still do on my
> laptop) specifically because I didn't like there approach to things
> like having NetworkManager installed/enabled by default on a Server
> install. ;-)

BTW, it's not our responsibility to do anything other than patch the  
Mailman source distribution.  We'll work with vendors of course, but  
it's really up to them to decide which patches to incorporate and and  
how to distribute.  If you don't want to run from source, you have to  
trust your distro vendor to do the right thing.

Fortunately now, you have another option.  You could track changes to  
the master Bazaar repositories using your own branches.  Then you can  
decide which of our changes to cherry pick into your own running  
servers, and easily merge in your own customization.  Nobody's doing  
it this way yet afaik, but I think it would work quite well for some  
sites.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkgGiu8ACgkQ2YZpQepbvXGSUQCeIHdAwKEnUvVJc69B97/2gNgp
GVwAn3bqBbCiXYZ0JxgRkvfUZNUSSvrQ
=7rg6
-----END PGP SIGNATURE-----


More information about the Mailman-Users mailing list