On Thu, Apr 17, 2008 at 12:07 AM, Stephen J. Turnbull <[EMAIL PROTECTED]> wrote: > Barry Warsaw writes: > > > BTW, it's not our responsibility to do anything other than patch the > > Mailman source distribution. > > I think you've missed at least part of Jim's point ... > > > > Then you can decide which of our changes to cherry pick into your > > own running servers, and easily merge in your own customization. > > Ayup, I do think you did. Over his boss's dead body he will .... > > The two points he wants, I think, are > > (1) the certification that comes with an Official Release, and > > (2) Minimal Change (addressing *only* the security issues) from the > current Official Stable Release. Maybe even a patch for the previous > O.S.R., since many people give a release a bit of time to shake down. > > *How* those changes get into his installation are (at this point) a > secondary concern. > > Jim?
Correct. Security fixes should be minimal and quick, needing very little effort/attention by end users (i.e. Mailman operators). I would be very trusting and very happy if things like XSS and remote exploits were handled outside of CVS/SVN, then tested by a core group of operators to make sure the fixes didn't break other things. And then (same day) commits to CVS/SVN and source releases to the market. 2.1.10.rc1 appears to be more than security fixes, and as such is held up by language dependencies and other standard release issues. I think the process needs to change and have security issues handled outside of normal releases. And for the record, I would be very willing to help out (i have python skils), but $DAYJOB legally prevents me from pretty much actively getting involved. Further, if I did contribute code, it could open Mailman up to legal issues. But, testing, etc, are ok because they are not IP related. -Jim P. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
