[Mailman-Users] Mailman 2.1.10rc1 has been released

Brad Knowles brad at shub-internet.org
Thu Apr 17 06:48:58 CEST 2008

On 4/17/08, Jim Popovitch wrote:

>  I think the process needs to change and have security issues handled
>  outside of normal releases.

Which is what normally happens in the process as it currently exists. 
It's just that, in this particular case, this bug wasn't exposed 
until an earlier 2.1.10b version was released, and then we fixed this 
security hole.

So, in this case, to get the security fix you need to install the 
latest 2.1.10rc (which includes additional functionality), as opposed 
to a patch to a previous 2.1.9 version (which would presumably 
include just the security fix).

To go down the road you suggest would mean that we'd be responsible 
for back-porting all security-only fixes to all previous versions of 
Mailman, as a completely separate release tree from the new 
development work.

Speaking only for myself, this seems to be a significant additional 
amount of work, and I think it's unlikely to happen unless we get a 
lot more resources on this project.  We'd need developers working on 
new code, developers working exclusively on security fixes, and a 
separate Release Engineer whose sole responsibility is to manage the 
process of creating appropriate patch releases as well as sheparding 
the new development releases.

FreeBSD can get away with that, because they've got a lot more people 
working on the project, and a lot more money supporting those people. 
I doubt we're ever going to be in a position to do something like 
that ourselves.  In this project, most people have to wear multiple 
hats, and work on new development, security fixes, and release 
engineering, all at the same time.

>  And for the record, I would be very willing to help out (i have python
>  skils), but $DAYJOB legally prevents me from pretty much actively
>  getting involved.  Further, if I did contribute code, it could open
>  Mailman up to legal issues.  But, testing, etc, are ok because they
>  are not IP related.

You could take over the Release Engineering job, and manage the two 
separate security patch-only releases as well as the new-development 

Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>

More information about the Mailman-Users mailing list