* Chuq Von Rospach: > my position is simple (and unchanged): if it's not your project, don't > make strategic decisions about it.
Unfortunately, the crackers that began to attack Mailman sites in January didn't respect your wishes. Who has a say in the disclosure of a security bug? The person who discovers it? The bad guy who exploits it? The person who discovers evidence of a break-in? The site administrator who discovers the exploit used by the bad guy? The security team which is contacted by the site adminsitrator? The author who wrote the software? The vendors who make money distributing the product? Site administrators who have been attacked and don't know about it yet?[1] Site administrators who might be attacked in the future? You're trying to establish something like ownership of security bugs. This might work if all parties cooperate in a process that ensure secrecy (including your users, who might as well switch to different software because they don't trust you because you're hding critical bugs from them). It breaks down as soon as someone doesn't play by your rules, as it happened in this case. [1] full-disclosure was not the first mailing list that was attacked. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org