[Mailman-Users] Mailman 2.1.10rc1 has been released

[Jim Popovitch]

On Thu, Apr 17, 2008 at 12:07 AM, Stephen J. Turnbull
<stephen at xemacs.org> wrote:
> Barry Warsaw writes:
>
>   > BTW, it's not our responsibility to do anything other than patch the
>   > Mailman source distribution.
>
>  I think you've missed at least part of Jim's point ...
>
>
>   > Then you can decide which of our changes to cherry pick into your
>   > own running servers, and easily merge in your own customization.
>
>  Ayup, I do think you did.  Over his boss's dead body he will ....
>
>  The two points he wants, I think, are
>
>  (1) the certification that comes with an Official Release, and
>
>  (2) Minimal Change (addressing *only* the security issues) from the
>  current Official Stable Release.  Maybe even a patch for the previous
>  O.S.R., since many people give a release a bit of time to shake down.
>
>  *How* those changes get into his installation are (at this point) a
>  secondary concern.
>
>  Jim?

Correct.   Security fixes should be minimal and quick, needing very
little effort/attention by end users (i.e. Mailman operators).   I
would be very trusting and very happy if things like XSS and remote
exploits were handled outside of CVS/SVN, then tested by a core group
of operators to make sure the fixes didn't break other things.  And
then (same day) commits to CVS/SVN and source releases to the market.
 2.1.10.rc1 appears to be more than security fixes, and as such is
held up by language dependencies and other standard release issues.
I think the process needs to change and have security issues handled
outside of normal releases.

And for the record, I would be very willing to help out (i have python
skils), but $DAYJOB legally prevents me from pretty much actively
getting involved.  Further, if I did contribute code, it could open
Mailman up to legal issues.  But, testing, etc, are ok because they
are not IP related.

-Jim P.