date:20200827

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Dmitri Maziuk


On 8/27/2020 12:41 PM, Phil Stracchino wrote:

On 2020-08-27 13:15, Rich Kulawiec wrote:

3. Captchas are a worst practice in security and should never be used.
They can be and are defeated at will by any adversary who wants to
trouble themselves to do so.  They're also user-hostile.  There are much
better methods available for protecting Mailman instances from abusers.


I've said for some time that traditional captchas are by now almost a
REVERSE test.  Ability to solve them should be taken as stronger
evidence that you are a bot than that you are a human, because bots are
better at solving them than humans are.

Image-style captchas like reCaptcha are better, but they too have a
shocking oversight:  They do not scale well on increasingly-ubiquitous
high-resolution displays.  I'm currently using a 32" 4K monitor, and
even after zooming the page as far as I can, I still sometimes have to
resort to a magnifying glass to be certain whether I'm seeing a
specified object somewhere in the background of one of the images.


Yay, topic drift.

IME the simple stupid server-side captchas are easy enough to solve and 
will deter 100% of the random bang bots & bad search engines. And the 
reason to use them is the page you're protecting can put non-trivial 
load on the server when triggered. It has nothing to do with security, 
nor bots actively trying to solve the captcha.


But reCaptchas aren't any better at defeating bots. I'm certain you'll 
find at least one cite on that in RISKS and/or DefCon archives. And not 
only as you say, half the images are invisible to the naked eye: I have 
privacy badger and an adblock in my browser, I'm sure you can guess how 
nice those javacrap recaptchas play with that.


Dima
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Phil Stracchino

On 2020-08-27 13:15, Rich Kulawiec wrote:
> 3. Captchas are a worst practice in security and should never be used.
> They can be and are defeated at will by any adversary who wants to
> trouble themselves to do so.  They're also user-hostile.  There are much
> better methods available for protecting Mailman instances from abusers.

I've said for some time that traditional captchas are by now almost a
REVERSE test.  Ability to solve them should be taken as stronger
evidence that you are a bot than that you are a human, because bots are
better at solving them than humans are.

Image-style captchas like reCaptcha are better, but they too have a
shocking oversight:  They do not scale well on increasingly-ubiquitous
high-resolution displays.  I'm currently using a 32" 4K monitor, and
even after zooming the page as far as I can, I still sometimes have to
resort to a magnifying glass to be certain whether I'm seeing a
specified object somewhere in the background of one of the images.

-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Keith Seyffarth

Phil Stracchino  writes:

> On 2020-08-27 12:30, Mark Sapiro wrote:
>> I'm still not clear on what you (Jim) are really wanting to do. I may be
>> wrong on this, but I don't see any distros picking up new versions of
>> Mailman 2.1 unless they come from some 'official' source and so far, the
>> GNU-Mailman project is the only such source. I'm not even sure that any
>> distros are planning to package Mailman 2.1.34.
>
>
> Currently there is no active ebuild for mailman in Gentoo.  2.1.33 has
> been masked, there is no 2.1.34, and 3.3.0 and 3.3.1 exist but have not
> yet been marked stable or unmasked.  The process of stabilizing a
> mailman3 ebuild is ongoing and I've been monitoring it.

mailman-2.1.34 is avaialble from FreeBSD ports (and probably from pkg as
well). Mailman 3 isn't yet.

-- 


Keith Seyffarth
mailto:w...@weif.net
https://www.weif.net/ - Home of the First Tank Guide!
https://www.rpgcalendar.net/ - the Montana Role-Playing Calendar

http://www.miscon.org/ - Montana's Longest Running Science Fiction Convention
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Dmitri Maziuk

On 8/27/2020 3:27 AM, Stephen J. Turnbull wrote:

Dmitri Maziuk writes:

  > The point was that the argument about MM3 having a long life expectancy
  > "because python 3" is not in any way, shape, or form supported by the
  > history of the python programming language to date.

*chortle* *In Mailman's experience* Python's backward compatibility
record has been an annoyance because it's *too good*.  Much of the
time we were officially supporting *four* 2.x versions, and it would
have been *five* at times except that we were conservative about
supporting the most recent release.  It was almost always trivial to
do so.  This policy of supporting old Python versions was quite
painful at times, preventing us from taking advantage of new Python
features.

Yes, precisely: "feechorz". My point wasn't that MM is having python 
compatibility problem, it was that python has compatibility problem with 
itself.

Although the port of Mailman 3 to Python 3 took a couple of years,
after that we had a spurt of rapid development, because Python 3 is a
much better environment for development of new code, and because str-
is-Unicode-inside made the email package much more reliable.  A lot
(not all, but a lot) of bugs were simply made impossible.  We don't
support as many versions of Python 3 (usually 2-3) because our current
Mailman 3 user population is smaller, biased toward the beta tester
type, and generally more sophisticated.

Yes, exactly. I run stable infrastructure services for not Beta Tester 
types, I want Simple Stupid and Stable.

Beside the point, actually.  There are *many* people supporting MM2
users (including me and Jim P, for two prominent examples).  But the
patch rate has been near zero for *years*, and has definitely *not*
included many of the patches I imagine Jim would want to include.

...

"There is none so blind as he who will not see" what is in the
archives of mailman-users and mailman-developers many times.  Mark
hasn't set a sunset date, but soon he's going to Just Say No.

Well if the patch rate is near zero, then it doesn't matter anyway. And 
yes, I am well aware of the previous discussions on the subject, and of 
the need to DIY spamd.py and SpamAssassin.py and so on. I'll take that 
over a django instance, even containerized, any day.

Dima
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Keith Seyffarth

> On 8/27/2020 9:54 AM, Phil Stracchino wrote:
>> Currently there is no active ebuild for mailman in Gentoo.  2.1.33 has
>> been masked, there is no 2.1.34, and 3.3.0 and 3.3.1 exist but have not
>> yet been marked stable or unmasked. 
>
> FWIW, FreeBSD 12.1-RELEASE amd64 has 2.1.34 in both the pkg repo and the 
> ports tree. I do not see a MM3 package but didn't look too closely.

I did try to look for MM3 and couldn't find it. I'm sure it's coming,
especially with FreeBSD expiring Python27 and security checks warning
about numerous other items relying on Python27.

-- 

Keith Seyffarth
mailto:w...@weif.net
https://www.weif.net/ - Home of the First Tank Guide!
https://www.rpgcalendar.net/ - the Montana Role-Playing Calendar

http://www.miscon.org/ - Montana's Longest Running Science Fiction Convention
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Rich Kulawiec

On Wed, Aug 26, 2020 at 09:28:30AM -0400, Jim Popovitch via Mailman-Users wrote:
> So, I have volunteered to spearhead an effort to add one or two more
> people to the Mailman Coders group[2] in order to vet and approve new
> features that continue the long tradition of providing value to Mailman
> 2.x.  Who's with me on this?

1. Sure.

2. I'm finishing the book on it anyway, so I might as well. ;)

3. Captchas are a worst practice in security and should never be used.
They can be and are defeated at will by any adversary who wants to
trouble themselves to do so.  They're also user-hostile.  There are much
better methods available for protecting Mailman instances from abusers.

Yes yes I know I just signed myself up to explain those.  This is not
my first time. ;)

4. One of things that I discovered while doing (2) is that Mailman v2.x
expects that it has *outbound* HTTP access.  I need to write this up
so that the problem is understandable/arguable/fixable, but: it's a
really bad idea to presume that's the case, and it's an equally bad
idea to make it the case.

---rsk
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Jim Popovitch via Mailman-Users

On Thu, 2020-08-27 at 10:05 -0700, Mark Sapiro wrote:
> On 8/27/20 3:29 AM, Jim Popovitch via Mailman-Users wrote:
> > There is sooo much to respond to, but in order to stay on focus... 
> > Brian, you fail to identify the problem, in fact you mischaracterized
> > it. Mark is essentially gatekeeping.  He is saying that he wants to
> > continue to control security maintenance of mm2 but he wants any other
> > feature development to be under a different umbrella away from his
> > gatekeeping.
> 
> I am the gatekeeper because the current Mailman 2.1 branch belongs to
> the GNU-Mailman project and I am the only member of that project who is
> doing anything with updating/releasing Mailman 2.1. If I weren't there,
> the gate would be locked.

The phrasing of "the current Mailman 2.1 branch belongs to the GNU-
Mailman project" seems odd.

> > Absolutely not.  We see life in MM2 and want the gatekeepers out of the
> > way.
> 
> We've had this discussion at
> ;. I have
> told you what you need to do to get commit permission to the branch at
> ;, and I assume
> that your initial post in this thread was an effort to get others to
> join you in this. I am sure that I and the other members of the
> GNU-Mailman project will give serious consideration to anything you
> propose, but we haven't seen a proposal yet.

To be honest, I felt your post here
https://code.launchpad.net/~jks/mailman/hcaptcha/+merge/389691/comments/1024988 
was a bit over the top.  You seem to have gone on and on about listing
all the possible things that I would need access to, as though it would
be such an impossibility for the Cabal to approve.  

> Please stop painting me as an obstructionist who wants to kill Mailman
> 2.1. I do not think that's a fair characterization.

I'm not here to judge you, I think your position on Mailman 2.1 is very
clear, and I think my good and thankful opinion of you is well
understood by the readers of this email.

-Jim P.
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Carl Zwanzig


On 8/27/2020 9:54 AM, Phil Stracchino wrote:

Currently there is no active ebuild for mailman in Gentoo.  2.1.33 has
been masked, there is no 2.1.34, and 3.3.0 and 3.3.1 exist but have not
yet been marked stable or unmasked. 


FWIW, FreeBSD 12.1-RELEASE amd64 has 2.1.34 in both the pkg repo and the 
ports tree. I do not see a MM3 package but didn't look too closely.


z!
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Jim Popovitch via Mailman-Users

On Thu, 2020-08-27 at 09:30 -0700, Mark Sapiro wrote:
> On 8/27/20 3:41 AM, Jim Popovitch via Mailman-Users wrote:
> > On Thu, 2020-08-27 at 17:41 +0900, Stephen J. Turnbull wrote:
> > > The question for you is what benefit there is to anyone in having
> > > Mailman 2 maintenance inside the Mailman Project going forward.  
> > 
> > You mean inside the Mailman3 Project at mailman3.org?  None.
> > 
> > > The Mailman Project certainly doesn't want to encourage new 
> > > installations of Mailman 2.  
> > 
> > Again, Do you mean the Mailman3 Project at mailman3.org and on the MM3-
> > org mailinglists?  If so, fine, move on.
> 
> I think Steve is referring to the GNU-Mailman project which is the group
> of people, always small and continuously evolving, starting with John
> Viega, who've been responsible for the development and maintenance of
> Mailman since it's inception.
> 
> I'm still not clear on what you (Jim) are really wanting to do. 

I want there to be a team, and I'm willing to be a part of it, that sees
merge requests and accepts or rejects them as features for Mailman 2.x
based on their value and suitability (not based on fear of any effect it
will have on mm3).  JUST Like you (Mark) alone did for all of these
merge requests except for the most recent 1:  
https://code.launchpad.net/%7Emailman-coders/mailman/2.1/+merges

> I may be
> wrong on this, but I don't see any distros picking up new versions of
> Mailman 2.1 unless they come from some 'official' source and so far, the
> GNU-Mailman project is the only such source. I'm not even sure that any
> distros are planning to package Mailman 2.1.34.

The distros may not rollout pure mm2.1.34, but they certainly do pick
and choose bits to apply to their maintained version. For example, the
DMARC and other stuff that I contributed wound up in numerous versions
of Mailman as released by distros and their derivatives. 

> I don't think Steve or I is being 'proprietary' about Mailman per se,
> but we are proprietary about the GNU-Mailman project,

To me, they are the same. As you said above, distros aren't going to
pull from un-official sources, so supporting "Mailman" is only relevant
in the context of supporting "GNU-Mailman".

> so the question is
> do Jim and possibly others become part of the GNU-Mailman project and
> continue to maintain the 2.1 branch on Launchpad or wherever and make
> 'official' releases, or do they fork the project and hope that their
> fork becomes the accepted source for Mailman 2.1.x.

I don't know why you think that's a valid question given that you have
stated you have no proprietary interest in Mailman.  I think it would
help everyone if you explained just what you mean by, and any
proprietary items you can identify, when you say "GNU Mailman"

-Jim P.
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Mark Sapiro

On 8/27/20 3:29 AM, Jim Popovitch via Mailman-Users wrote:
> 
> There is sooo much to respond to, but in order to stay on focus... 
> Brian, you fail to identify the problem, in fact you mischaracterized
> it. Mark is essentially gatekeeping.  He is saying that he wants to
> continue to control security maintenance of mm2 but he wants any other
> feature development to be under a different umbrella away from his
> gatekeeping.

I am the gatekeeper because the current Mailman 2.1 branch belongs to
the GNU-Mailman project and I am the only member of that project who is
doing anything with updating/releasing Mailman 2.1. If I weren't there,
the gate would be locked.

> Absolutely not.  We see life in MM2 and want the gatekeepers out of the
> way.

We've had this discussion at
. I have
told you what you need to do to get commit permission to the branch at
, and I assume
that your initial post in this thread was an effort to get others to
join you in this. I am sure that I and the other members of the
GNU-Mailman project will give serious consideration to anything you
propose, but we haven't seen a proposal yet.

Please stop painting me as an obstructionist who wants to kill Mailman
2.1. I do not think that's a fair characterization.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Phil Stracchino

On 2020-08-27 12:30, Mark Sapiro wrote:
> I'm still not clear on what you (Jim) are really wanting to do. I may be
> wrong on this, but I don't see any distros picking up new versions of
> Mailman 2.1 unless they come from some 'official' source and so far, the
> GNU-Mailman project is the only such source. I'm not even sure that any
> distros are planning to package Mailman 2.1.34.


Currently there is no active ebuild for mailman in Gentoo.  2.1.33 has
been masked, there is no 2.1.34, and 3.3.0 and 3.3.1 exist but have not
yet been marked stable or unmasked.  The process of stabilizing a
mailman3 ebuild is ongoing and I've been monitoring it.


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Mark Sapiro

On 8/27/20 3:34 AM, Jim Popovitch via Mailman-Users wrote:
> 
> Stephen, just who do you think did the DMARC research and work in MM2? 
> Phil, Mark, care to chime in on this?


The original DMARC mitigation work was contributed by Franck Martin of
LinkedIn and was in Mailman as a site optional feature in Mailman 2.1 16
(16-Oct-2013) prior to Yahoo publishing DMARC p=reject in April of 2014.

The implementation of DNS lookup to enable DMARC mitigations to be
applied conditionally based on the From domain's DMARC policy introduced
in Mailman 2.1.18 (03-May-2014) was contributed by Jim Popovitch and
Phil Pennock

See
.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Mark Sapiro

On 8/27/20 3:41 AM, Jim Popovitch via Mailman-Users wrote:
> On Thu, 2020-08-27 at 17:41 +0900, Stephen J. Turnbull wrote:
>>
>> The question for you is what benefit there is to anyone in having
>> Mailman 2 maintenance inside the Mailman Project going forward.  
> 
> You mean inside the Mailman3 Project at mailman3.org?  None.
> 
>> The Mailman Project certainly doesn't want to encourage new 
>> installations of Mailman 2.  
> 
> Again, Do you mean the Mailman3 Project at mailman3.org and on the MM3-
> org mailinglists?  If so, fine, move on.

I think Steve is referring to the GNU-Mailman project which is the group
of people, always small and continuously evolving, starting with John
Viega, who've been responsible for the development and maintenance of
Mailman since it's inception.

I'm still not clear on what you (Jim) are really wanting to do. I may be
wrong on this, but I don't see any distros picking up new versions of
Mailman 2.1 unless they come from some 'official' source and so far, the
GNU-Mailman project is the only such source. I'm not even sure that any
distros are planning to package Mailman 2.1.34.

I don't think Steve or I is being 'proprietary' about Mailman per se,
but we are proprietary about the GNU-Mailman project, so the question is
do Jim and possibly others become part of the GNU-Mailman project and
continue to maintain the 2.1 branch on Launchpad or wherever and make
'official' releases, or do they fork the project and hope that their
fork becomes the accepted source for Mailman 2.1.x.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Jim Popovitch via Mailman-Users

On Thu, 2020-08-27 at 17:27 +0900, Stephen J. Turnbull wrote:
> MM3, on the other hand, not only has three more or less active
> developers, it also has frequent releases including new features as
> well as bug fixes.

That could still be happening for MM2 if not for some imaginary line in
the sand.

-Jim P.
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Jim Popovitch via Mailman-Users

On Thu, 2020-08-27 at 17:41 +0900, Stephen J. Turnbull wrote:
> 
> The question for you is what benefit there is to anyone in having
> Mailman 2 maintenance inside the Mailman Project going forward.  

You mean inside the Mailman3 Project at mailman3.org?  None.

> The Mailman Project certainly doesn't want to encourage new 
> installations of Mailman 2.  

Again, Do you mean the Mailman3 Project at mailman3.org and on the MM3-
org mailinglists?  If so, fine, move on.

-Jim P.

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Jim Popovitch via Mailman-Users

On Thu, 2020-08-27 at 17:24 +0900, Stephen J. Turnbull wrote:
> Brian Carpenter writes:
>  > On 8/26/20 6:25 PM, Carl Zwanzig wrote:
>  > >
>  > > As someone regularly uses and maintains a fair bit of old and antique 
>  > > machinery, MM2 still has a lot of life in it.
> 
> In particular, MM2 L10N supports a couple dozen languages, including
> the major Han languages and dialects, and I think Hebrew and Arabic.
> MM3 supports English, French, German, and now Italian.
> 
>  > MM2 has some life. That is correct. MM3 has far more.
> 
> Thank you both for your support.  Of course, you're both right. ;-)
> 
> Brian, do you see the presence of lots of MM2 installations around the
> 'net as a threat or irritation for you or your business?  I don't see
> that, but you know your business and I don't.  Or are you taking the
> users' point of view, and arguing that the features of Mailman 3 and
> possible risks to Mailman 2 installations make migration the "right
> thing"?
> 
> The point is that I don't see a lot of direct harm to third parties
> from maintaining existing MM2 installations, if their owners are
> willing to accept the risks that come with an unsupported software
> stack.  I don't disagree that for-profit services that offer these are
> irresponsible, but I don't see how that hurts you or us, given that we
> don't support that stack any more.
> 
>  > That is good as long as no major "DMARC" events come along.
> 
> That's a very good point.  There are major risks to using Internet-
> facing applications that lack an experienced, active development team.
> But that's up to the users to decide, while monitoring just how active
> Jim's team turns out to be.

Again with the "Jim's team".  Those other guys, that other group, them
folks  That's nauseating to hear from you Stephen.

> I think Jim should very much take this to heart, as well as thinking
> about the fact that we get several CVEs a year, which will be his job
> to deal with.  I don't lose sleep over the CVEs (they're all 1s and 2s
> recently, and Mark did almost all the work before I could get started :-),
> but DMARC cost me a lot of sleep.


Stephen, just who do you think did the DMARC research and work in MM2? 
Phil, Mark, care to chime in on this?

-Jim P.


--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Jim Popovitch via Mailman-Users

On Wed, 2020-08-26 at 23:17 -0400, Brian Carpenter wrote:
> 
> I am sure Mark has moved on from Mailman 2, at least he has said that on 
> numerous occasions. It is you folks that won't let him. 

There is sooo much to respond to, but in order to stay on focus... 
Brian, you fail to identify the problem, in fact you mischaracterized
it. Mark is essentially gatekeeping.  He is saying that he wants to
continue to control security maintenance of mm2 but he wants any other
feature development to be under a different umbrella away from his
gatekeeping.

> You want to keep using MM2 and you want the developers to keep
> supporting it. 

Absolutely not.  We see life in MM2 and want the gatekeepers out of the
way.

> That pressure can/does hinder the work on Mailman 3.

That is imaginary or self-contrived pressure.

-Jim P.
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Stephen J. Turnbull

Jim Popovitch via Mailman-Users writes:

 > That, *that* ^^^, is my point.  I want to take that on, I want to
 > work with contributors to commit their vetted and tested patches
 > into the mm2 branch, I've basically been told to go somewhere else
 > to do it.

You have not been told to go elsewhere.  You've been told you're free
to use some of our resources, and I would be happy to include the
Mailman 2 repo among them (it's not mine to give but I would support
it).  We can and should cooperate in many ways, I believe.

But: your goals are nearly disjoint from ours[1], and the work you
propose to do far more limited.  The teams will probably be completely
disjoint, and there probably will be no synergies between them because
of the divergence of the development platforms and the architectures
of the applications.  I want those facts recognized by both teams and
made clear to Mailman users, and I suspect so will other members of
current Mailman core team.

If it turns out that the teams intersect substantially, and/or there
are development or support synergies involved, then I would reconsider
my position.

 > I think who/m ever takes it on should be part of the Mailman Team.

Given the facts stated above, I don't see why.

You *won't* be part of the Mailman small-t team that I'm on, any more
than Brian is part of my team while he develops Affinity.

You're part of the Mailman community, as is Affinity, and as is Brian
in many roles as well as Affinity.  I can speak for Mailman core in
saying we're happy to have you both.  All three projects are rooted in
Mailman 2 (and before that Mailman 1!), and there's a future for all
three.  It's just that the future for Mailman 3 and Affinity is
growth, while the future for Mailman 2 is retirement.  I see your role
as (unavoidably) making that retirement a very graceful one, and
perhaps delaying it by a bit.  But there's no need for coordination
with the forward-looking part of the problem, and several reasons
against.

 > There is absolutely no reason against, and there are certainly
 > several examples for, having 2 or more active development branches
 > in an open source (or closed source for that matter) project.

Jim, you may not know better, but I do.  *I've done that*, in XEmacs
(I have the T-shirt! as project lead) and in Python (as gadfly and
onlooker).  It's painful and distracting for the core development
team, so there are two reasons not to do it for you.

The question for you is what benefit there is to anyone in having
Mailman 2 maintenance inside the Mailman Project going forward.  The
Mailman Project certainly doesn't want to encourage new installations
of Mailman 2.  Encouraging new use of obsolete[2] code definitely was
the effect of maintaining multiple branches of XEmacs and Python
inside their respective projects.

Footnotes: 
[1]  We share wanting Mailman 2 users to be happy.  But as Brian has
forcefully advocated, we believe that in the not-so-long run, the path
to happiness for Mailman 2 users is migration to Mailman 3.

[2]  In the sense of pragmatically unmaintainable in the long run.

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Stephen J. Turnbull

Dmitri Maziuk writes:

 > The point was that the argument about MM3 having a long life expectancy 
 > "because python 3" is not in any way, shape, or form supported by the 
 > history of the python programming language to date.

*chortle* *In Mailman's experience* Python's backward compatibility
record has been an annoyance because it's *too good*.  Much of the
time we were officially supporting *four* 2.x versions, and it would
have been *five* at times except that we were conservative about
supporting the most recent release.  It was almost always trivial to
do so.  This policy of supporting old Python versions was quite
painful at times, preventing us from taking advantage of new Python
features.  The only 2.x backward compatibility issue I can recall that
bit Mailman was the introduction of true Booleans (yeah, that long
ago), and that was easy to fix.  Mark can probably tell a few stories.

Although the port of Mailman 3 to Python 3 took a couple of years,
after that we had a spurt of rapid development, because Python 3 is a
much better environment for development of new code, and because str-
is-Unicode-inside made the email package much more reliable.  A lot
(not all, but a lot) of bugs were simply made impossible.  We don't
support as many versions of Python 3 (usually 2-3) because our current
Mailman 3 user population is smaller, biased toward the beta tester
type, and generally more sophisticated.

 > Arguing that MM3 itself is going to be supported because there's
 > more that just Mark supporting it

Beside the point, actually.  There are *many* people supporting MM2
users (including me and Jim P, for two prominent examples).  But the
patch rate has been near zero for *years*, and has definitely *not*
included many of the patches I imagine Jim would want to include.

MM3, on the other hand, not only has three more or less active
developers, it also has frequent releases including new features as
well as bug fixes.

 > effectively boils down to "Mark will stop patching MM2". That's
 > certainly possible, but maybe we should ask him instead of taking
 > your word for it?

"There is none so blind as he who will not see" what is in the
archives of mailman-users and mailman-developers many times.  Mark
hasn't set a sunset date, but soon he's going to Just Say No.
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

2020-08-27 Thread Stephen J. Turnbull

Brian Carpenter writes:
 > On 8/26/20 6:25 PM, Carl Zwanzig wrote:
 > >
 > > As someone regularly uses and maintains a fair bit of old and antique 
 > > machinery, MM2 still has a lot of life in it.

In particular, MM2 L10N supports a couple dozen languages, including
the major Han languages and dialects, and I think Hebrew and Arabic.
MM3 supports English, French, German, and now Italian.

 > MM2 has some life. That is correct. MM3 has far more.

Thank you both for your support.  Of course, you're both right. ;-)

Brian, do you see the presence of lots of MM2 installations around the
'net as a threat or irritation for you or your business?  I don't see
that, but you know your business and I don't.  Or are you taking the
users' point of view, and arguing that the features of Mailman 3 and
possible risks to Mailman 2 installations make migration the "right
thing"?

The point is that I don't see a lot of direct harm to third parties
from maintaining existing MM2 installations, if their owners are
willing to accept the risks that come with an unsupported software
stack.  I don't disagree that for-profit services that offer these are
irresponsible, but I don't see how that hurts you or us, given that we
don't support that stack any more.

 > That is good as long as no major "DMARC" events come along.

That's a very good point.  There are major risks to using Internet-
facing applications that lack an experienced, active development team.
But that's up to the users to decide, while monitoring just how active
Jim's team turns out to be.

I think Jim should very much take this to heart, as well as thinking
about the fact that we get several CVEs a year, which will be his job
to deal with.  I don't lose sleep over the CVEs (they're all 1s and 2s
recently, and Mark did almost all the work before I could get started :-),
but DMARC cost me a lot of sleep.

 > But I am seeing some complaints pointed at the MM developers for no
 > longer willing to develop MM2.

That's just people blowing off steam, with a few people like Jim
stepping forward and saying they'd like to serve the occasional need
not served by MM2 as is or migration to MM3.  Overall I take it as a
compliment to the Mailman 2 developers, and Jim is a credit to the
community.  I have not seen the bitterness against Mailman 3 that was
directed from several quarters against Python 3, just a lament about
the loss of Mailman 2.

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

[Mailman-Users] Re: mailman v2.x

20 matches

Site Navigation

Mail list logo

Footer information