Jim Popovitch wrote: > >Fair enough. Where's the release then? > >Look, I know you folks are working hard on this, and I certainly don't >dis-respect that. HOWEVER, the process flow needs some re-thinking. >You should not publicly release security vulnerability details before >fixes are identified for current versions. I can't imagine that you >don't already know that.
I appreciate your view Jim, and I was remis in not making patches for 2.1.9 publicly announced and available[1], however, if you don't trust my 2.1.10 beta or rc release to be stable enough for production use, why would you think my patches for 2.1.9 would be any better? I really am faced with only two choices. Commit my fixes to the publicly available source tree so they can be exposed and tested in a wide variety of environments during the beta release phase, which process necessarily also exposes the vulnerabilities that they fix to the world, or sit on my patches and release them untested by others in the final release. [1]Patches for CVE-2008-0564 were made available to those who asked, and a google search will show that some distros have been patched, although Ubuntu for example <https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/199338> calls it "low" importance. -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp