However, I also take Chuq's point that all security announcements to this list, and all related mailman mailing lists hosted on python.org, should be made by Barry or one of the other core developers. Even if the information has been publicly released elsewhere, it is not appropriate to post it here unless you are one of those people.
The point I tried to make via private email was this:
ignoring that Barry's in charge, and Barry should have the say as to when things are announced about Mailman, publishing the data here before Barry was ready to have it published and before the patches and other documentation, you're making the hack widely available before the is distributed.
Yes, it's true that this problem was discussed on a few forums (full disclosure for one), meaning the competent blackhats would know about it and be able to take advantage of it, but the overall distribution of the problem was still quite limited. By choosing to post it to this list, instead of it being a serious issue with limited exposure and risk, it now becomes a serious issue with endemic exposure and risk -- suddenly instead of a few people knowing the hack and being able to take advantage of it, basically anyone interested in Maiman could. And the instructions for how to protect yourself from it weren't final or ready for distribution, much less a patch or the updated release.
To say "it was already out there" is a false justification. it's the equivalent of hearing someone talking about it on a cel phone at Starbucks, and using that as justification for putting it on billboards. it complete changes the dynamics and risks of the exposure, putting sites at risk that otherwise wouldn't have been -- because instead of the clueful blackhats knowing about the problem, now every person on the list does, including all of those technically naive folks who just happen to be pissed off for being kicked off a mailing list and are looking for a way to get back at an admin.
my position is simple (and unchanged): if it's not your project, don't make strategic decisions about it. it was barry's call. Barry and Toiko were working the issue and trying to get things ready. By having it prematurely disclosed to a wide audience, those plans were screwed, and so were Barry's and Toiko's schedules and lives. That, enough, is reason enough to not do it, but it also likely caused some sites to get hacked that wouldn't have been, if it'd been handled properly.
Today's premature disclosure was like saying that since the adults lit candles in the evening, it was okay to hand matches to their children. Whatever the best of intentions -- a very bad idea.
------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
