-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 16, 2008, at 12:21 AM, Jim Popovitch wrote: > >> I really am faced with only two choices. Commit my fixes to the >> publicly available source tree so they can be exposed and tested in a >> wide variety of environments during the beta release phase, which >> process necessarily also exposes the vulnerabilities that they fix to >> the world, or sit on my patches and release them untested by others >> in >> the final release. > > I can appreciate the significance of that situation. I don't know > that I have a solution other than to ask what does ClamAV or > SpamAssassin do in similar situations? I believe I shepherded the > idea, some time ago, of the need for a closed Mailman security team of > both developers and involved site administrators. I would say if a > proven trusted group of Mailman site administrators privately > discussed and tested a security fix, then I would have no problem with > fixes being committed and released at once. Although a "heads up!" > would be nice too. ;-)
We have such a closed list, currently consisting of Mark, Tokio and myself. It's who you get when you contact mailman- [EMAIL PROTECTED] More volunteers would probably be welcome, especially if they were devoted to lending the additional help you describe above. Note too that we don't work in a vacuum. Very often we're working with vendor-sec to address security issues in a responsible and coordinated way. >> [1]Patches for CVE-2008-0564 were made available to those who asked, >> and a google search will show that some distros have been patched, >> although Ubuntu for example >> <https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/199338> calls >> it "low" importance. > > Well, I gave up running Ubuntu on servers (although I still do on my > laptop) specifically because I didn't like there approach to things > like having NetworkManager installed/enabled by default on a Server > install. ;-) BTW, it's not our responsibility to do anything other than patch the Mailman source distribution. We'll work with vendors of course, but it's really up to them to decide which patches to incorporate and and how to distribute. If you don't want to run from source, you have to trust your distro vendor to do the right thing. Fortunately now, you have another option. You could track changes to the master Bazaar repositories using your own branches. Then you can decide which of our changes to cherry pick into your own running servers, and easily merge in your own customization. Nobody's doing it this way yet afaik, but I think it would work quite well for some sites. - -Barry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkgGiu8ACgkQ2YZpQepbvXGSUQCeIHdAwKEnUvVJc69B97/2gNgp GVwAn3bqBbCiXYZ0JxgRkvfUZNUSSvrQ =7rg6 -----END PGP SIGNATURE----- ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp