[Mailman-Developers] before next release: disable backscatter indefault installation

[Barry Warsaw]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mar 5, 2008, at 12:27 AM, Stephen J. Turnbull wrote:

> Cristóbal Palmer writes:
>
>> Even without the original message text a response is a problem.
>
> I agree -- the addresses are too easy to compute and do end up in
> lists that are sold -- and would support consideration of changing the
> defaults as proposed.
>
> But not for 2.1.10.  Changing 2.1.10 is dumb software engineering and
> hysterical policy.
>
> You see, as Jo Rhett points out (apparently without understanding), it
> will have *no noticable effect* in the short run because *the proposed
> change won't affect existing Mailman installations*, not even those
> that upgrade to 2.1.10.
>
> So the right thing to do is to get 2.1.10 out the door as is, and get
> started on 2.2.  Then you can even discuss shutting off the feature
> in *existing* installations and requiring admins of *existing*
> installations to reactivate the feature if they want it.[1]  That
> would very likely have noticeable effect *much sooner* than the change
> proposed for 2.1.10, and would be much less disruptive.

Mark's the release manager for 2.1, but FWIW I completely agree with  
Stephen about this.  What I would suggest though is that this  
information be put in a prominent place on the wiki.  We have a  
security space with nothing substantial in it, so I suggest we put it  
here.

http://wiki.list.org/display/SEC/Home

This will get much more publicity and community input than in a README  
file.  This is something you can do right now <wink>.

We need to get 2.1.10 out and move on.  I hope Jo, Cristobal, Ian and  
others will help us solve these problems in MM2.2 and 3.0.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkfPJKcACgkQ2YZpQepbvXGicQCeMN5dv4sutxfUfzvL1FHNzZp1
McAAoIGPH+NOxU+nzOrlzV4egzw8EYtg
=d5ci
-----END PGP SIGNATURE-----