Re: Announce missing - in moderation?

2018-09-29 Thread William A Rowe Jr 
On Sat, Sep 29, 2018, 09:25 Daniel Ruggeri  wrote:

> Hi, Bill;
>
>Sure. I've updated the scripts to set the reply-to address and also
> fired a message off to ann@a.o to wrap it up. I didn't change the date
> of the announcement, so hopefully that won't pose a problem.
>

Confirming...

https://lists.apache.org/list.html?annou...@apache.org

   Later I'll commit a change to just send separate emails instead of a
> multi-to message since that seems like the easiest approach.
>

+1!

Thanks for RMing!

Re: Announce missing - in moderation?

2018-09-29 Thread Daniel Ruggeri 
Hi, Bill;

   Sure. I've updated the scripts to set the reply-to address and also
fired a message off to ann@a.o to wrap it up. I didn't change the date
of the announcement, so hopefully that won't pose a problem.

   Later I'll commit a change to just send separate emails instead of a
multi-to message since that seems like the easiest approach.

-- 
Daniel Ruggeri

On 9/28/2018 9:13 PM, William A Rowe Jr wrote:
> Sebb thank you for your analysis!
>
> Two issues; one, the reply-to field of security announcements was set
> to security@, and this is in direct contravention of Apache policy.
> Security@ is exclusively for reporting undisclosed vulnerabilities,
> and all other traffic is ignored. This group of email addresses must
> never be shared without context and usage guidance. Please, never do
> that again.
>
> Two, this announce is still not published to ann@a.o. What is the next
> step to cause this to happen? Daniel, could you use a conventional
> mail agent to wrap this cycle up?
>
>
>
> On Wed, Sep 26, 2018, 18:40 sebb  > wrote:
>
> Also just realised the Message-Id is missing.
>
> Some servers (e.g. GMail) may add it; if they don't it can causes
> issues for mod_mbox and possibly other archivers.
> It also causes problems for mail threading.
> And if the mail is sent to multiple destinations, each generated
> Message-Id will be different.
>
> On 26 September 2018 at 22:04, Noel Butler  > wrote:
>
> On 27/09/2018 05:37, sebb AT ASF wrote:
>
>>
>> I don't know if this is relevant, but the messages don't have
>> a Date: header.
>  
> A  this would be because Daniel used curl to send them
> rather than a sane method :)
>  
>  
>  
>> Also some of the received headers look odd:
>>
>> Received: from Announcement.txt (IP redacted)
>> by mailrelay1-lw-us.apache.org
>>  (ASF Mail Server at
>> mailrelay1-lw-us.apache.org
>> ) with ESMTPSA id redacted
>> for > >; Sat, 22 Sep 2018
>> 11:41:35 + (UTC)
>>
>> and
>>
>> Received: from CVE-2018-11763-h2-dos-by-settings.txt (IP
>> redacted)
>> by mailrelay2-lw-us.apache.org
>>  (ASF Mail Server at
>> mailrelay2-lw-us.apache.org
>> ) with ESMTPSA id redacted
>> for > >; Sat, 22 Sep 2018
>> 11:41:38 + (UTC)
>>
> -- 
>
> Kind Regards,
>
> Noel Butler
>
> This Email, including any attachments, may contain legally
> privileged information, therefore remains confidential and
> subject to copyright protected under international law. You
> may not disseminate, discuss, or reveal, any part, to anyone,
> without the authors express written authority to do so. If you
> are not the intended recipient, please notify the sender then
> delete all copies of this message including attachments,
> immediately. Confidentiality, copyright, and legal privilege
> are not waived or lost by reason of the mistaken delivery of
> this message. Only PDF  and ODF
>  documents
> accepted, please do not send proprietary formatted documents
>
>