On Tue, Apr 15, 2008 at 11:04 PM, Mark Sapiro <[EMAIL PROTECTED]> wrote: > I appreciate your view Jim, and I was remis in not making patches for > 2.1.9 publicly announced and available[1], however, if you don't trust > my 2.1.10 beta or rc release to be stable enough for production use, > why would you think my patches for 2.1.9 would be any better?
That's a very interesting, and good, question. From my point of view, which may be different from others, it depends on the situation and need for patching. For instance, there is more than "./configure" and "make install" involved in a complex setup. Additionally, I have local patches for things that my sites need. Setting all that up takes time, and (in a normal day) if there is soon to be another release I have to pause and judge whether my time is best spent on RC1 or the Final build. NOTE: I, like most reading this, would devote much greater attention if there was a appearance of urgent need to test specific fixes. For the most part 2.1.10 (to me) appeared to be some behind the scenes XSS fixes and nothing more. So, assuming Development had it under control (and by all accounts they did), why would I spend 1 weekend setting up and testing RC1 when the Final would be out in 2 weeks and I would have to do all that effort again? Now if 2.1.10 was a code fix release for dying processes, and if my Mailman systems were experiencing dying processes, then my desire to test early and often would be driven by my desire to have a stable install (even at the RC level). However Mailman 2.1.9 has been very stable for me (THANK YOU) and so I don't know that I have anything to test in the RC that I won't be testing for in the Final. Hidden in that text is the admission that I trust you (Mark, Barry, etc.) to release 2.1.10 with as few of changes from 2.1.9 as necessary. If 2.1.10 were a complete re-write, then obviously my thoughts on this would be different. For the record, Mark, I would always be willing to at least look at future patches and give you a reasoned response as to whether I could even test it or not. > I really am faced with only two choices. Commit my fixes to the > publicly available source tree so they can be exposed and tested in a > wide variety of environments during the beta release phase, which > process necessarily also exposes the vulnerabilities that they fix to > the world, or sit on my patches and release them untested by others in > the final release. I can appreciate the significance of that situation. I don't know that I have a solution other than to ask what does ClamAV or SpamAssassin do in similar situations? I believe I shepherded the idea, some time ago, of the need for a closed Mailman security team of both developers and involved site administrators. I would say if a proven trusted group of Mailman site administrators privately discussed and tested a security fix, then I would have no problem with fixes being committed and released at once. Although a "heads up!" would be nice too. ;-) > [1]Patches for CVE-2008-0564 were made available to those who asked, > and a google search will show that some distros have been patched, > although Ubuntu for example > <https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/199338> calls > it "low" importance. Well, I gave up running Ubuntu on servers (although I still do on my laptop) specifically because I didn't like there approach to things like having NetworkManager installed/enabled by default on a Server install. ;-) -Jim P. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
