>>>>> "Jim" == Jim Popovitch <[EMAIL PROTECTED]> writes:
Jim> She was asking a very important question about something that Jim> was already public. What important question? It's an easy to execute exploit (in fact, it occasionally happens due to ordinary mail, that's why it was found and fixed before anybody asked about the DoS aspect) of very low interest to black hats and small threat to a well-run site in most cases. IIRC, it's been discussed on the list (though not as a security threat). The only interesting thing that happened was that somebody sensationalized that problem by labelling it a potential DoS attack. That doesn't make it important, except to Diana and others following that channel. Anybody who hadn't noticed would never notice. So what is the scenario if Diana posts to mailman-security? She gets an answer and nobody ever notices. And if three people ask on mailman-security? There's a short post to mailman-users, and it ends up in the faq, because it's a PITA for the developers to keep answering it. What's wrong with that? Jim> Are you suggesting that all "Hey, has this been fixed yet" Jim> questions should be off list and only one-on-one with Jim> mailman-security? No, only for those defects that are not going to affect users unless deliberately exploited. For such security "holes", yes, "discuss only with mailman-security" is announced policy. Jim> er, Right.... (the elitism really shines through Brad). Please watch your language. "Elitism" means restricting something to a select group because of their personal qualifications. The security policy, and everything Brad has posted on the matter, says discussion about potential exploits should be restricted to those with "need to know", which is defined as "the ability to fix the problem and/or the authority to distribute 'official' fixes." This is a functional, not a personal, qualification. You're welcome to advocate a different definition of need-to-know, one which includes large numbers of users who cannot contribute code or distribute fixes, but the restrictive one above the one in common use in the developer community. To my knowledge nobody (in the open source community) likes the implications for information dissemination. I admit that this is my personal interpretation of the discussions that have gone on (in the Mailman community and elsewhere), but it is the best I can come up with and honestly intended. Barry, Tokio, and Mark are welcome to jointly or severally repudiate it. :-) -- School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN Ask not how you can "do" free software business; ask what your business can "do for" free software. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp