From barry at list.org  Fri Jan  2 18:06:56 2009
From: barry at list.org (Barry Warsaw)
Date: Fri, 2 Jan 2009 12:06:56 -0500
Subject: [Mailman-Developers] Mailman 3 and LTMP
Message-ID: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi William,

The Mailman 3 branch is nearly ready for the next alpha release.  I've  
been working on some major structural changes that should make  
development go much faster.

First, I've converted the installation infrastructure over to  
zc.buildout.  This is a easy to use, but powerful way to build and  
deploy Mailman, and it helps manage dependencies in a transparent  
way.  Second, I've converted much, but not all, of the configuration  
system over to lazr.config, which provides a nice way to stack ini- 
style configurations.  For now, you still have to manually edit  
Defaults.py for some things, but I plan on finishing that conversion  
after the next release.

The state of the branch is nearly functional on its own, minus the web  
interface.  This provides a nice platform for integrating MM3 with  
external systems.  I do plan on implementing the REST admin interface  
next.

The one hang up currently is incoming mail.  I think it would simplify  
things if we shipped MM3 with LTMP support out of the box.  William  
has done a lot of work to improve the LMTP server in MM3 and I'd like  
to go about integrating that into the main line.

There are a few problems with William's branch though: lp:~wilunix/ 
mailman/lmtp

First, it seems like the initial revision was not made from a branch  
of the main line, but instead imported into revision 1.  This makes it  
much more difficult to suss out the differences in William's branch,  
especially with tracking the changes to the main branch since then.   
Second, there seems to be a bunch of extraneous files committed in  
William's branch, such as log files and database files.  These clearly  
need to be removed before the branch can be merged.

William, please contact me off-list so that we can address these.   
We'll also need to have a chat about FSF copyright assignments.

Finally, I would like to get input from MTA experts on this list as to  
the best way to integrate the various MTAs with Mailman's LMTP  
server.  Specifically, I'm looking at fixing and improving bin/ 
genaliases for each of the MTAs.  I've looked at Postfix's  
documentation, but sadly to me it seems quite lacking as to best  
recommendations.  I know Exim and Sendmail support LTMP, but I don't  
have as much experience with hooking them up.

If you have input on the best way to connect Mailman and an MTA via  
LMTP, please add it to this page: http://wiki.list.org/display/DEV/LMTP+process 
  and follow up to this message.

Thanks and Happy New Year.
- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkleSbAACgkQ2YZpQepbvXG+PgCeI4eVhv+mVppcVkz+0iG280j0
GXUAoK97Q1VtodePjaNaBMB6PzP//9U+
=EOD1
-----END PGP SIGNATURE-----

From p at state-of-mind.de  Fri Jan  2 23:44:57 2009
From: p at state-of-mind.de (Patrick Ben Koetter)
Date: Fri, 2 Jan 2009 23:44:57 +0100
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
Message-ID: <20090102224456.GA28144@state-of-mind.de>

* Barry Warsaw <barry at list.org>:
> Finally, I would like to get input from MTA experts on this list as to  
> the best way to integrate the various MTAs with Mailman's LMTP server.  
> Specifically, I'm looking at fixing and improving bin/genaliases for each 
> of the MTAs.  I've looked at Postfix's documentation, but sadly to me it 
> seems quite lacking as to best recommendations.  I know Exim and Sendmail 
> support LTMP, but I don't have as much experience with hooking them up.
>
> If you have input on the best way to connect Mailman and an MTA via  
> LMTP, please add it to this page: 
> http://wiki.list.org/display/DEV/LMTP+process and follow up to this 
> message.

I've added a draft for Postfix. There's the one or the other bit I'd like to
add, but basically it should be okay.

p at rick


From barry at list.org  Sat Jan  3 05:42:04 2009
From: barry at list.org (Barry Warsaw)
Date: Fri, 2 Jan 2009 23:42:04 -0500
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <20090102224456.GA28144@state-of-mind.de>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
	<20090102224456.GA28144@state-of-mind.de>
Message-ID: <B98D1A94-5DC6-42BE-935B-07F1B7944732@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 2, 2009, at 5:44 PM, Patrick Ben Koetter wrote:

> * Barry Warsaw <barry at list.org>:
>> Finally, I would like to get input from MTA experts on this list as  
>> to
>> the best way to integrate the various MTAs with Mailman's LMTP  
>> server.
>> Specifically, I'm looking at fixing and improving bin/genaliases  
>> for each
>> of the MTAs.  I've looked at Postfix's documentation, but sadly to  
>> me it
>> seems quite lacking as to best recommendations.  I know Exim and  
>> Sendmail
>> support LTMP, but I don't have as much experience with hooking them  
>> up.
>>
>> If you have input on the best way to connect Mailman and an MTA via
>> LMTP, please add it to this page:
>> http://wiki.list.org/display/DEV/LMTP+process and follow up to this
>> message.
>
> I've added a draft for Postfix. There's the one or the other bit I'd  
> like to
> add, but basically it should be okay.

Thanks Patrick.  I think there's one other configuration variable that  
needs to be set. Please see the comment on the wiki page.  I believe I  
have this working now.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkle7JwACgkQ2YZpQepbvXHUwgCfTYf3j1zRdLZq4zlsqPfJzqqA
bvYAoLQFr39YjVmTXLH9LQFl92br7ne2
=E8wh
-----END PGP SIGNATURE-----

From barry at list.org  Sat Jan  3 20:15:42 2009
From: barry at list.org (Barry Warsaw)
Date: Sat, 3 Jan 2009 14:15:42 -0500
Subject: [Mailman-Developers] ANNOUNCE: GNU Mailman 3.0a2 (Grand Designs)
Message-ID: <E7FD501A-F62B-442C-9FE6-0F6DF83F56A0@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Mailpersons,

I'm happy to announce the availability of GNU Mailman version 3.0  
alpha 2, code name "Grand Designs".

Of course, this is still an alpha snapshot and not suitable for  
production systems, however there is a lot of good functional stuff in  
this release that is worthy of a look.  Because this is still alpha  
software, you can have a big influence on where the code goes from  
here.  I'm especially interested in feedback from integrators, and I  
welcome your contribution.

Mailman 3.0 alpha 2 should be functional enough to create mailing  
lists, connect them to your MTA, add and remove members, and send  
email to those lists.  Incoming mail integration is currently only  
supported for Postfix via LMTP; contributions for other MTAs and  
incoming mechanisms are welcome.  The web interface is still not  
functional, so for now you have to interact with Mailman via the  
command line.

Please feel free to discuss Mailman 3 development on the mailman- 
developers mailing list.  You can submit branches and bugs to the  
Launchpad bug tracker at https://bugs.launchpad.net/mailman

For detailed information on 3.0a2, please read docs/ALPHA.txt.  This  
file explains how to build Mailman and run the test suite.  The docs/ 
NEWS.txt file contains high level descriptions of what's changed since  
3.0a1.  Most notably are the new configuration system, the better test  
suite and installation process, and the new LMTP support.  Mailman 3  
also contains extensive doctests which explain how certain subsystems  
work.

Please note that Python 2.6 is required.

You can download the tarball either from the Cheeseshop or from  
Launchpad.  An egg is available on the Cheeseshop.  See:

http://pypi.python.org/pypi/mailman/3.0.0a2
https://launchpad.net/mailman/+download

for details.

I hope you find this second snapshot useful and encouraging.  Please  
participate!

Enjoy,
B.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAklfuV8ACgkQ2YZpQepbvXGRzACeLPvX9eeaPj4x9viw6qZqxgUA
sawAn0iDsOHBMM6+RzfUJSQX9RORZTy/
=tTMG
-----END PGP SIGNATURE-----

From mark at msapiro.net  Sat Jan  3 20:51:38 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Sat, 3 Jan 2009 11:51:38 -0800
Subject: [Mailman-Developers] Mailman 2.x Roadmap
Message-ID: <PC187020090103115138045396e273ab@msapiro>

Barry has been making wonderful progress with Mailman 3.0 and has just
announced the second alpha release.

This may leave some of you wondering what's happening with the Mailman
2.x series, so this note is for all interested Mailman users,
developers and translators to give an idea of what to expect in
Mailman 2.x in the coming months.

Within the next few days, I plan to release Mailman 2.1.12rc1. This
release contains several minor bug fixes since 2.1.11 and is updated
for compatibility with Python 2.6. It will not work with Python older
than 2.4.

In the absence of "show stopping" bugs, the only changes between this
and the final 2.1.12 release will be translation updates. I expect to
release the final by the end of January.

After January, my focus will be on Mailman 2.2. This branch was
originally intended to be an overhaul of Mailman's GUI, but that work
is stalled and will be deferred to Mailman 2.3 or 3.0. The focus of
Mailman 2.2 will be ongoing maintenance of the 2.x series and several
small new features that have not been added in the 2.1 branch because
of i18n considerations.

I hope to be able to release a 2.2 beta before the end of March, 2009.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From p at state-of-mind.de  Sun Jan  4 00:00:24 2009
From: p at state-of-mind.de (Patrick Ben Koetter)
Date: Sun, 4 Jan 2009 00:00:24 +0100
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <B98D1A94-5DC6-42BE-935B-07F1B7944732@list.org>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
	<20090102224456.GA28144@state-of-mind.de>
	<B98D1A94-5DC6-42BE-935B-07F1B7944732@list.org>
Message-ID: <20090103230024.GA2218@state-of-mind.de>

* Barry Warsaw <barry at list.org>:
>> * Barry Warsaw <barry at list.org>:
>>> Finally, I would like to get input from MTA experts on this list as  to
>>> the best way to integrate the various MTAs with Mailman's LMTP  server.
>>> Specifically, I'm looking at fixing and improving bin/genaliases for each
>>> of the MTAs.  I've looked at Postfix's documentation, but sadly to  me it
>>> seems quite lacking as to best recommendations.  I know Exim and  Sendmail
>>> support LTMP, but I don't have as much experience with hooking them  up.
>>>
>>> If you have input on the best way to connect Mailman and an MTA via LMTP,
>>> please add it to this page: http://wiki.list.org/display/DEV/LMTP+process
>>> and follow up to this message.
>>
>> I've added a draft for Postfix. There's the one or the other bit I'd  
>> like to add, but basically it should be okay.
>
> Thanks Patrick.  I think there's one other configuration variable that
> needs to be set. Please see the comment on the wiki page.  I believe I  
> have this working now.

Yes. I've added additional subsections. Your configuration example excludes
local recipients listed in $alias_maps and /etc/passwd. On purpose?

p at rick

-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563

From adam-mailman at amyl.org.uk  Sat Jan  3 23:16:29 2009
From: adam-mailman at amyl.org.uk (Adam McGreggor)
Date: Sat, 3 Jan 2009 22:16:29 +0000
Subject: [Mailman-Developers] [Mailman-Users] ANNOUNCE: GNU Mailman
	3.0a2 (Grand Designs)
In-Reply-To: <E7FD501A-F62B-442C-9FE6-0F6DF83F56A0@list.org>
References: <E7FD501A-F62B-442C-9FE6-0F6DF83F56A0@list.org>
Message-ID: <20090103221629.GT18966@amyl.org.uk>

On Sat, Jan 03, 2009 at 02:15:42PM -0500, Barry Warsaw wrote:
> Because this is still alpha software, you can have a big influence on
> where the code goes from here.  I'm especially interested in feedback
> from integrators, and I welcome your contribution.

[...]

> Please feel free to discuss Mailman 3 development on the mailman-
> developers mailing list.  You can submit branches and bugs to the
> Launchpad bug tracker at https://bugs.launchpad.net/mailman

Looks like the preference for feature requests (going by launchpad, and
the list archive) is here...

in which case, I'm wondering how possible it would be for something
along the lines of the following to be implemented (my python is
ridiculously lousy; were I to write something like this, it would
probably be a webform, some perl, mysql, cron, and bash interacting 
with add_members (i'm not really pro the idea of piping things to 
wrappers, as has been mooted in the past on -users &c).

Here's the proposal --

    I'd like a third level of password authentication to be 
    added to allow those with said password to be able to 
    access the 'subscribe members' web form 
    (admin/foo/members/add, currently), and that alone: 
    *without* being able to see the existing list of list-members, 
    and for tertiary-admin actions (for lack of better phrase) to 
    be logged in the usual fashion.

Perhaps a little explanation, we in this case is a privacy campaign, and
we'd like our local-level co-ordinators to be able to add the email
addresses of their local supporters to their lists, but not

    (a) change any of the settings, or
    (b) see the list of subscribers once inputted.

The hopeful outcome will be that we can let these local-co-ords do this,
via an "official" mechanism, rather than home-bru. It's safe to assume
that the email addressess have been given in good faith, and consent to
be subscribed has been given.

Behind the scenes, it would be useful if unable to subscribe
notifications were sent to $LIST-OWNER (or just logged), but 
for only non-validating addys to be printed on-screen (quite often 
we see no SLD/TLD), with a note along the lines "for privacy reasons,
we're only going to tell you of the successes" when the password is 
that of the 3ry-user (but the admin user gets to see all, as current)

What would also be nice is for something like bin/change_pw to
handle the password creation/modification, and to mail the 
3ry-admin with the password and URI, along with some other 
(template) blurb.

Any thoughts? Would this be possible to build? Could it be included.
please?

From thijs at debian.org  Sun Jan  4 15:04:11 2009
From: thijs at debian.org (Thijs Kinkhorst)
Date: Sun, 4 Jan 2009 15:04:11 +0100
Subject: [Mailman-Developers] Mailman 2.x Roadmap
In-Reply-To: <PC187020090103115138045396e273ab@msapiro>
References: <PC187020090103115138045396e273ab@msapiro>
Message-ID: <200901041504.14490.thijs@debian.org>

Hi Mark,

On Saturday 3 January 2009 20:51, Mark Sapiro wrote:
> Within the next few days, I plan to release Mailman 2.1.12rc1. This
> release contains several minor bug fixes since 2.1.11 and is updated
> for compatibility with Python 2.6. It will not work with Python older
> than 2.4.

With regard to bugfixes for the 2.1.x branch, you may be interested in the 
patches that Debian has made to the mailman package in our distribution. You 
can find them all here under the '"series" style patches'-header:
http://patch-tracking.debian.net/package/mailman/1:2.1.11-8

Of course some are only useful for Debian, some already applied in your 
branch, but perhaps there are some useful bits there you may want to take for 
2.1.12.


cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20090104/c6da4cac/attachment.pgp>

From barry at list.org  Sun Jan  4 23:21:03 2009
From: barry at list.org (Barry Warsaw)
Date: Sun, 4 Jan 2009 17:21:03 -0500
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <20090103230024.GA2218@state-of-mind.de>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
	<20090102224456.GA28144@state-of-mind.de>
	<B98D1A94-5DC6-42BE-935B-07F1B7944732@list.org>
	<20090103230024.GA2218@state-of-mind.de>
Message-ID: <20090104172103.2846298c@resist.wooz.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 04, 2009, at 12:00 AM, Patrick Ben Koetter wrote:

>* Barry Warsaw <barry at list.org>:

>> Thanks Patrick.  I think there's one other configuration variable that
>> needs to be set. Please see the comment on the wiki page.  I believe I  
>> have this working now.
>
>Yes. I've added additional subsections. Your configuration example excludes
>local recipients listed in $alias_maps and /etc/passwd. On purpose?

Nope, it's just the minimum of what I needed to get my test environment
working.  Thanks for the additional sections, they're perfect.

- -Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklhNk8ACgkQ2YZpQepbvXEwRwCdGRDKjJ1Rj/CapPzXwekHby3a
s9YAoIIU7M6COiasb0avOBdasd8ObO88
=FenV
-----END PGP SIGNATURE-----

From p at state-of-mind.de  Mon Jan  5 00:58:45 2009
From: p at state-of-mind.de (Patrick Ben Koetter)
Date: Mon, 5 Jan 2009 00:58:45 +0100
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <20090104172103.2846298c@resist.wooz.org>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
	<20090102224456.GA28144@state-of-mind.de>
	<B98D1A94-5DC6-42BE-935B-07F1B7944732@list.org>
	<20090103230024.GA2218@state-of-mind.de>
	<20090104172103.2846298c@resist.wooz.org>
Message-ID: <20090104235845.GC8986@state-of-mind.de>

* Barry Warsaw <barry at list.org>:
> On Jan 04, 2009, at 12:00 AM, Patrick Ben Koetter wrote:
> 
> >* Barry Warsaw <barry at list.org>:
> 
> >> Thanks Patrick.  I think there's one other configuration variable that
> >> needs to be set. Please see the comment on the wiki page.  I believe I  
> >> have this working now.
> >
> >Yes. I've added additional subsections. Your configuration example excludes
> >local recipients listed in $alias_maps and /etc/passwd. On purpose?
> 
> Nope, it's just the minimum of what I needed to get my test environment
> working.  Thanks for the additional sections, they're perfect.

Thanks. Minor bug fix in the docco, though. Destination syntax for lmtp
targets in the transport table requires a fourth parameter: service type.

I haven't had time to install and test the mm3 LMTP server, yet. Will the
server accept TCP connections only or UNIX domains sockets as well? If it can
do the latter too, I'd add a configuration example to the wiki.

p at rick

-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563

From barry at list.org  Mon Jan  5 01:15:38 2009
From: barry at list.org (Barry Warsaw)
Date: Sun, 4 Jan 2009 19:15:38 -0500
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <20090104235845.GC8986@state-of-mind.de>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
	<20090102224456.GA28144@state-of-mind.de>
	<B98D1A94-5DC6-42BE-935B-07F1B7944732@list.org>
	<20090103230024.GA2218@state-of-mind.de>
	<20090104172103.2846298c@resist.wooz.org>
	<20090104235845.GC8986@state-of-mind.de>
Message-ID: <20090104191538.1fc2edd8@resist.wooz.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 05, 2009, at 12:58 AM, Patrick Ben Koetter wrote:

>Thanks. Minor bug fix in the docco, though. Destination syntax for lmtp
>targets in the transport table requires a fourth parameter: service type.

I'm not sure it requires it; I saw that in the Postfix documentation, but my
current genaliases implementation doesn't write the 'inet' argument.  It still
seems to work.  Better to be correct though, so I'll fix that.

>I haven't had time to install and test the mm3 LMTP server, yet. Will the
>server accept TCP connections only or UNIX domains sockets as well? If it can
>do the latter too, I'd add a configuration example to the wiki.

Currently, the lmtp qrunner only listens to TCP connection (configurable, but
localhost by default).  I haven't looked in detail at William Mead's version
though.

Another thing that's cool about LMTP delivery: it sure is fast. :)

- -Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklhUSoACgkQ2YZpQepbvXHUcwCeNeoLPfGNpP0a3VStVgZ/qFJA
P34An0DwulweQxDpOtkDE7IyFHMJn/j5
=rBV7
-----END PGP SIGNATURE-----

From p at state-of-mind.de  Mon Jan  5 01:29:04 2009
From: p at state-of-mind.de (Patrick Ben Koetter)
Date: Mon, 5 Jan 2009 01:29:04 +0100
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <20090104191538.1fc2edd8@resist.wooz.org>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
	<20090102224456.GA28144@state-of-mind.de>
	<B98D1A94-5DC6-42BE-935B-07F1B7944732@list.org>
	<20090103230024.GA2218@state-of-mind.de>
	<20090104172103.2846298c@resist.wooz.org>
	<20090104235845.GC8986@state-of-mind.de>
	<20090104191538.1fc2edd8@resist.wooz.org>
Message-ID: <20090105002904.GA10157@state-of-mind.de>

* Barry Warsaw <barry at list.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Jan 05, 2009, at 12:58 AM, Patrick Ben Koetter wrote:
> 
> >Thanks. Minor bug fix in the docco, though. Destination syntax for lmtp
> >targets in the transport table requires a fourth parameter: service type.
> 
> I'm not sure it requires it; I saw that in the Postfix documentation, but my
> current genaliases implementation doesn't write the 'inet' argument.  It still
> seems to work.  Better to be correct though, so I'll fix that.

Victor pointed it out on the Postfix mailing list. It's probably better to be
on the precise side in this case. In case you want to do more reading, take a
look at lmtp(8).


> >I haven't had time to install and test the mm3 LMTP server, yet. Will the
> >server accept TCP connections only or UNIX domains sockets as well? If it can
> >do the latter too, I'd add a configuration example to the wiki.
> 
> Currently, the lmtp qrunner only listens to TCP connection (configurable, but
> localhost by default).  I haven't looked in detail at William Mead's version
> though.
> 
> Another thing that's cool about LMTP delivery: it sure is fast. :)

Definitely faster than the current pipe command. :)

p at rick

-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563

From pabs at debian.org  Mon Jan  5 04:50:52 2009
From: pabs at debian.org (Paul Wise)
Date: Mon, 5 Jan 2009 12:50:52 +0900
Subject: [Mailman-Developers] Mailman 2.x Roadmap
In-Reply-To: <200901041504.14490.thijs@debian.org>
References: <PC187020090103115138045396e273ab@msapiro>
	<200901041504.14490.thijs@debian.org>
Message-ID: <e13a36b30901041950n6530114j141dc08e9eeb1638@mail.gmail.com>

On Sun, Jan 4, 2009 at 11:04 PM, Thijs Kinkhorst <thijs at debian.org> wrote:

> On Saturday 3 January 2009 20:51, Mark Sapiro wrote:
>> Within the next few days, I plan to release Mailman 2.1.12rc1. This
>> release contains several minor bug fixes since 2.1.11 and is updated
>> for compatibility with Python 2.6. It will not work with Python older
>> than 2.4.
>
> With regard to bugfixes for the 2.1.x branch, you may be interested in the
> patches that Debian has made to the mailman package in our distribution. You
> can find them all here under the '"series" style patches'-header:
> http://patch-tracking.debian.net/package/mailman/1:2.1.11-8
>
> Of course some are only useful for Debian, some already applied in your
> branch, but perhaps there are some useful bits there you may want to take for
> 2.1.12.

In addition to those, there is the Indymedia patch set:

http://lists.indymedia.org/patches.tar.gz (against 2.1.10)
http://lists.indymedia.org/patches/ (in use)

Many of those will only be useful for Indymedia (especially the msgid
stuff) or only appropriate for the 2.2 branch.

I also went through the output of 'whohas mailman' and found the
following distros with patches:

http://trac.macports.org/browser/trunk/dports/mail/mailman/files
http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/mailman/files/
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-mail/mailman/files/
http://packages.opensuse-community.org/listcontents.jsp?checksum=77aa4ba3b6618d256638c4cf28a0305d7062dc7e&distro=openSUSE_110

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

From iane at sussex.ac.uk  Mon Jan  5 12:03:56 2009
From: iane at sussex.ac.uk (Ian Eiloart)
Date: Mon, 05 Jan 2009 11:03:56 +0000
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
Message-ID: <965FF7758F2DE4866C1B65CE@lewes.staff.uscs.susx.ac.uk>

Hi,

William's internship has finished here, so I think I'd better pick up this 
thread - if that's OK with you, William. I'll mail you off list about your 
two questions.


I've added a note to the docs about Exim's callout features. They allow 
Exim to determine not only whether the list exists, but whether the list 
will accept mail from the current sender - before accepting the message for 
delivery. I'll fill in the details later.

--On 2 January 2009 12:06:56 -0500 Barry Warsaw <barry at list.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi William,
>
> The Mailman 3 branch is nearly ready for the next alpha release.  I've
> been working on some major structural changes that should make
> development go much faster.
>
> First, I've converted the installation infrastructure over to
> zc.buildout.  This is a easy to use, but powerful way to build and deploy
> Mailman, and it helps manage dependencies in a transparent way.  Second,
> I've converted much, but not all, of the configuration system over to
> lazr.config, which provides a nice way to stack ini-style configurations.
> For now, you still have to manually edit Defaults.py for some things, but
> I plan on finishing that conversion after the next release.
>
> The state of the branch is nearly functional on its own, minus the web
> interface.  This provides a nice platform for integrating MM3 with
> external systems.  I do plan on implementing the REST admin interface
> next.
>
> The one hang up currently is incoming mail.  I think it would simplify
> things if we shipped MM3 with LTMP support out of the box.  William has
> done a lot of work to improve the LMTP server in MM3 and I'd like to go
> about integrating that into the main line.
>
> There are a few problems with William's branch though:
> lp:~wilunix/mailman/lmtp
>
> First, it seems like the initial revision was not made from a branch of
> the main line, but instead imported into revision 1.  This makes it much
> more difficult to suss out the differences in William's branch,
> especially with tracking the changes to the main branch since then.
> Second, there seems to be a bunch of extraneous files committed in
> William's branch, such as log files and database files.  These clearly
> need to be removed before the branch can be merged.
>
> William, please contact me off-list so that we can address these.  We'll
> also need to have a chat about FSF copyright assignments.
>
> Finally, I would like to get input from MTA experts on this list as to
> the best way to integrate the various MTAs with Mailman's LMTP server.
> Specifically, I'm looking at fixing and improving bin/genaliases for each
> of the MTAs.  I've looked at Postfix's documentation, but sadly to me it
> seems quite lacking as to best recommendations.  I know Exim and Sendmail
> support LTMP, but I don't have as much experience with hooking them up.
>
> If you have input on the best way to connect Mailman and an MTA via LMTP,
> please add it to this page: http://wiki.list.org/display/DEV/LMTP+process
> and follow up to this message.
>
> Thanks and Happy New Year.
> - -Barry
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
>
> iEYEARECAAYFAkleSbAACgkQ2YZpQepbvXG+PgCeI4eVhv+mVppcVkz+0iG280j0
> GXUAoK97Q1VtodePjaNaBMB6PzP//9U+
> =EOD1
> -----END PGP SIGNATURE-----



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

From srf at sanger.ac.uk  Mon Jan  5 11:09:53 2009
From: srf at sanger.ac.uk (Simon Fraser)
Date: Mon, 05 Jan 2009 10:09:53 +0000
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
Message-ID: <1231150193.22884.11.camel@where.dynamic.sanger.ac.uk>

On Fri, 2009-01-02 at 12:06 -0500, Barry Warsaw wrote:

> Finally, I would like to get input from MTA experts on this list as to  
> the best way to integrate the various MTAs with Mailman's LMTP  
> server.  Specifically, I'm looking at fixing and improving bin/ 
> genaliases for each of the MTAs.  I've looked at Postfix's  
> documentation, but sadly to me it seems quite lacking as to best  
> recommendations.  I know Exim and Sendmail support LTMP, but I don't  
> have as much experience with hooking them up.

I use Exim's LMTP support over unix domain sockets, so I've added a few
notes about it on the wiki page you mention. 

With regards genaliases and exim, I'd imagine that most users are happy
with the current genaliases output, as for non-lmtp connections it can
be used directly, or simply the existence of a line can be tested. 

I must confess, I don't use it at all, since Mailman runs on the same
node as Exim, I check directly for the list's existence by looking for
its directory, and use a generic transport that copes with the suffix.

Simon.



-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 

From eazevedo at bsd.com.br  Mon Jan  5 14:04:33 2009
From: eazevedo at bsd.com.br (Edilson Azevedo)
Date: Mon, 5 Jan 2009 11:04:33 -0200
Subject: [Mailman-Developers] Doubt about security
Message-ID: <34729cd70901050504l4083dbfesce80f1704a8a502c@mail.gmail.com>

Hi Developers! I've a question:

 Why in all lists sites that I look, the "Admin Links" is open? Worst: Why
(inside the Admin Links) the link "create a new mailing list" is open?
Anyone in anywhere can to try until discover the Admin password??

 My doubt is: Why those links are open to world? I think that it's very
insecure, or not?!?


Thanks folks!!!

-- 

Edilson Azevedo
Mail / Gtalk: eazevedo at bsd.com.br

From barry at list.org  Mon Jan  5 14:53:35 2009
From: barry at list.org (Barry Warsaw)
Date: Mon, 5 Jan 2009 08:53:35 -0500
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <34729cd70901050504l4083dbfesce80f1704a8a502c@mail.gmail.com>
References: <34729cd70901050504l4083dbfesce80f1704a8a502c@mail.gmail.com>
Message-ID: <36D8B7F1-C822-4F9C-898F-45AF06229170@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 5, 2009, at 8:04 AM, Edilson Azevedo wrote:

> Hi Developers! I've a question:
>
> Why in all lists sites that I look, the "Admin Links" is open?  
> Worst: Why
> (inside the Admin Links) the link "create a new mailing list" is open?
> Anyone in anywhere can to try until discover the Admin password??
>
> My doubt is: Why those links are open to world? I think that it's very
> insecure, or not?!?

Really?  Those links should always be behind a login screen.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkliEN8ACgkQ2YZpQepbvXEk3gCfZEX4GJ5blkATZDZHxlbMnQlw
p+gAnjSD4Gmrh+By/YGYl3QgBwiSRa1K
=fJV0
-----END PGP SIGNATURE-----

From eazevedo at bsd.com.br  Mon Jan  5 15:12:32 2009
From: eazevedo at bsd.com.br (Edilson Azevedo)
Date: Mon, 5 Jan 2009 12:12:32 -0200
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <36D8B7F1-C822-4F9C-898F-45AF06229170@list.org>
References: <34729cd70901050504l4083dbfesce80f1704a8a502c@mail.gmail.com>
	<36D8B7F1-C822-4F9C-898F-45AF06229170@list.org>
Message-ID: <34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>

Hi Barry and Thank to answer!

 You said "should". But in 95% of the lists that I look, those links are
always open. An random example: The official MailMan mailing list. Follow my
steps:

1 - Open this link: http://mail.python.org/mailman/admin

2 - After, click in "create a new mailing list"

3 - You can try to create a new list until discover the corret password (if
you don't know). But, if you dont know the password, you can try to use a
bruteforce. They are very easy to find and very, very, very easy to use.
Sometimes they work very well.. hehehe.


Again: Anyone in anywhere can try to create a new list. It's correct??!!

Thanks Barry!!!

P.S.: Try those same steps in othes Mailing Lists Sites. Always work!


On Mon, Jan 5, 2009 at 11:53 AM, Barry Warsaw <barry at list.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Jan 5, 2009, at 8:04 AM, Edilson Azevedo wrote:
>
>  Hi Developers! I've a question:
>>
>> Why in all lists sites that I look, the "Admin Links" is open? Worst: Why
>> (inside the Admin Links) the link "create a new mailing list" is open?
>> Anyone in anywhere can to try until discover the Admin password??
>>
>> My doubt is: Why those links are open to world? I think that it's very
>> insecure, or not?!?
>>
>
> Really?  Those links should always be behind a login screen.
>
> - -Barry
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
>
> iEYEARECAAYFAkliEN8ACgkQ2YZpQepbvXEk3gCfZEX4GJ5blkATZDZHxlbMnQlw
> p+gAnjSD4Gmrh+By/YGYl3QgBwiSRa1K
> =fJV0
> -----END PGP SIGNATURE-----
>



-- 
Atenciosamente,

Edilson Azevedo
(19) 3787-3312
(12) 8156-5590
Mail / Gtalk: eazevedo at bsd.com.br

From danm at prime.gushi.org  Mon Jan  5 15:34:47 2009
From: danm at prime.gushi.org (Dan Mahoney, System Admin)
Date: Mon, 5 Jan 2009 09:34:47 -0500 (EST)
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
References: <34729cd70901050504l4083dbfesce80f1704a8a502c@mail.gmail.com>
	<36D8B7F1-C822-4F9C-898F-45AF06229170@list.org>
	<34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
Message-ID: <alpine.BSF.2.00.0901050931560.79978@prime.gushi.org>

On Mon, 5 Jan 2009, Edilson Azevedo wrote:

> Hi Barry and Thank to answer!
>
> You said "should". But in 95% of the lists that I look, those links are
> always open. An random example: The official MailMan mailing list. Follow my
> steps:
>
> 1 - Open this link: http://mail.python.org/mailman/admin
>
> 2 - After, click in "create a new mailing list"
>
> 3 - You can try to create a new list until discover the corret password (if
> you don't know). But, if you dont know the password, you can try to use a
> bruteforce. They are very easy to find and very, very, very easy to use.
> Sometimes they work very well.. hehehe.
>
>
> Again: Anyone in anywhere can try to create a new list. It's correct??!!
>
> Thanks Barry!!!
>
> P.S.: Try those same steps in othes Mailing Lists Sites. Always work!

Allow me to chime in and ask how this would be different if the form were 
behind a login screen?  Or any form at all?  You can "brute force" any 
screen in mailman and afaik there's no timeout or backoff interval.

I see this as a non-issue, personally, but I do think it looks bad, and 
think that screen should in a perfect world only be shown ONLY if there is 
a "list creator" password with no other privileges (but then, if that was 
the behavior, it would leak that fact).

Just my 0.02.

-Dan


From mark at msapiro.net  Mon Jan  5 17:09:25 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 5 Jan 2009 08:09:25 -0800
Subject: [Mailman-Developers] Mailman 2.x Roadmap
In-Reply-To: <e13a36b30901041950n6530114j141dc08e9eeb1638@mail.gmail.com>
Message-ID: <PC18702009010508092507504200fe87@msapiro>

Paul Wise wrote:
>
>In addition to those, there is the Indymedia patch set:
>
>http://lists.indymedia.org/patches.tar.gz (against 2.1.10)
>http://lists.indymedia.org/patches/ (in use)
>
>Many of those will only be useful for Indymedia (especially the msgid
>stuff) or only appropriate for the 2.2 branch.
>
>I also went through the output of 'whohas mailman' and found the
>following distros with patches:
>
>http://trac.macports.org/browser/trunk/dports/mail/mailman/files
>http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/mailman/files/
>http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-mail/mailman/files/
>http://packages.opensuse-community.org/listcontents.jsp?checksum=77aa4ba3b6618d256638c4cf28a0305d7062dc7e&distro=openSUSE_110
>


Please don't start (or extend) a list of downstream things to look at
in the week before a release. First of all, I'm just compulsive enough
to actually look, but even so, the most likely result is I'll be
overwhelmed, defer everything and then forget about it.

If downstream patches are of general applicability or address bugs in
the upstream distribution, they should be reported in the upstream
tracker (currently <https://bugs.launchpad.net/mailman>).

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From iane at sussex.ac.uk  Mon Jan  5 17:11:58 2009
From: iane at sussex.ac.uk (Ian Eiloart)
Date: Mon, 05 Jan 2009 16:11:58 +0000
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <1231150193.22884.11.camel@where.dynamic.sanger.ac.uk>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
	<1231150193.22884.11.camel@where.dynamic.sanger.ac.uk>
Message-ID: <72EF18C4008999A63F3130ED@lewes.staff.uscs.susx.ac.uk>



--On 5 January 2009 10:09:53 +0000 Simon Fraser <srf at sanger.ac.uk> wrote:

> On Fri, 2009-01-02 at 12:06 -0500, Barry Warsaw wrote:
>
>> Finally, I would like to get input from MTA experts on this list as to
>> the best way to integrate the various MTAs with Mailman's LMTP
>> server.  Specifically, I'm looking at fixing and improving bin/
>> genaliases for each of the MTAs.  I've looked at Postfix's
>> documentation, but sadly to me it seems quite lacking as to best
>> recommendations.  I know Exim and Sendmail support LTMP, but I don't
>> have as much experience with hooking them up.
>
> I use Exim's LMTP support over unix domain sockets, so I've added a few
> notes about it on the wiki page you mention.
>
> With regards genaliases and exim, I'd imagine that most users are happy
> with the current genaliases output, as for non-lmtp connections it can
> be used directly, or simply the existence of a line can be tested.
>
> I must confess, I don't use it at all, since Mailman runs on the same
> node as Exim, I check directly for the list's existence by looking for
> its directory, and use a generic transport that copes with the suffix.

But, with our improvements, you'll be able to use Exim's call forward 
feature, and determine not only whether the list exists, but also whether 
the sender is permitted to post to the list. If not, you can reject the 
email in Exim's ACL, and you don't need to generate a bounce message.

> Simon.



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

From adam-mailman at amyl.org.uk  Mon Jan  5 17:06:58 2009
From: adam-mailman at amyl.org.uk (Adam McGreggor)
Date: Mon, 5 Jan 2009 16:06:58 +0000
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <alpine.BSF.2.00.0901050931560.79978@prime.gushi.org>
References: <34729cd70901050504l4083dbfesce80f1704a8a502c@mail.gmail.com>
	<36D8B7F1-C822-4F9C-898F-45AF06229170@list.org>
	<34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
	<alpine.BSF.2.00.0901050931560.79978@prime.gushi.org>
Message-ID: <20090105160657.GL18966@amyl.org.uk>

On Mon, Jan 05, 2009 at 09:34:47AM -0500, Dan Mahoney, System Admin wrote:
> I see this as a non-issue, personally, but I do think it looks bad, and 

Likewise.

> think that screen should in a perfect world only be shown ONLY if there is 
> a "list creator" password with no other privileges (but then, if that was 
> the behavior, it would leak that fact).

If anyone were that'd bothered, they'd presumably use the
authentication/protection methods of their webserver on /create : or,
indeed, not bother maaking the Alias (or equiv) at all.

-- 
An Englishman thinks that 100 miles is a long way;
an American thinks that 100 years is a long time.

From barry at list.org  Mon Jan  5 17:45:46 2009
From: barry at list.org (Barry Warsaw)
Date: Mon, 5 Jan 2009 11:45:46 -0500
Subject: [Mailman-Developers] [Mailman-Announce] Mailman 2.x Roadmap
In-Reply-To: <PC187020090103115138045396e273ab@msapiro>
References: <PC187020090103115138045396e273ab@msapiro>
Message-ID: <91E17CF4-A418-473F-9E09-921A1B80915D@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Trimmed CC to just -developers]

On Jan 3, 2009, at 2:51 PM, Mark Sapiro wrote:

> Barry has been making wonderful progress with Mailman 3.0 and has just
> announced the second alpha release.
>
> This may leave some of you wondering what's happening with the Mailman
> 2.x series, so this note is for all interested Mailman users,
> developers and translators to give an idea of what to expect in
> Mailman 2.x in the coming months.
>
> Within the next few days, I plan to release Mailman 2.1.12rc1. This
> release contains several minor bug fixes since 2.1.11 and is updated
> for compatibility with Python 2.6. It will not work with Python older
> than 2.4.
>
> In the absence of "show stopping" bugs, the only changes between this
> and the final 2.1.12 release will be translation updates. I expect to
> release the final by the end of January.
>
> After January, my focus will be on Mailman 2.2. This branch was
> originally intended to be an overhaul of Mailman's GUI, but that work
> is stalled and will be deferred to Mailman 2.3 or 3.0. The focus of
> Mailman 2.2 will be ongoing maintenance of the 2.x series and several
> small new features that have not been added in the 2.1 branch because
> of i18n considerations.
>
> I hope to be able to release a 2.2 beta before the end of March, 2009.

Mark, thanks for publishing this roadmap.  It seems right on target to  
me, with one comment.  I really hope that there will not be a Mailman  
2.3.  I agree we'd hoped that 2.2 would include an updated web ui, but  
if that won't happen in 2.2, I'd really like to see that effort put  
into 3.0.  I agree that there are plenty of other good things that can  
go into the 2.2 series to make it very much worthwhile, but after that  
I think we should concentrate on 3.0, where the backend storage and  
other architectural improvements will really pay off.

Cheers,
- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkliOToACgkQ2YZpQepbvXG0AACfZcILwdppJDimq8TzRxVfRTxp
gFoAoKL2t43LnxawxFIyqaWwGOLWymui
=1FuB
-----END PGP SIGNATURE-----

From mark at msapiro.net  Mon Jan  5 17:48:42 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 5 Jan 2009 08:48:42 -0800
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
Message-ID: <PC187020090105084842059354ccc83b@msapiro>

Edilson Azevedo wrote:
>
> You said "should". But in 95% of the lists that I look, those links are
>always open.


I think Barry misunderstood which links you are talking about.

The links on the list admin overview page to lists really reveal
nothing but the names of public lists on the server. These are already
available on the listinfo overview page and anyone who knows even a
little bit about Mailman can easily construct admin or admindb links
from the listinfo links. If you are concerned about revealing this,
make all your lists advertised = No.

>An random example: The official MailMan mailing list. Follow my
>steps:
>
>1 - Open this link: http://mail.python.org/mailman/admin
>
>2 - After, click in "create a new mailing list"


Likewise, anyone with even a little knowledge of Mailman can figure out
the URL to the create CGI.

The answer is to use strong passwords, and if you are really concerned,
don't advertise any lists and remove Mailman's cgi-bin/create wrapper
so lists can't be created from the web, or alternatively just don't
set site admin or list creator passwords or remove data/adm.pw and
data/creator.pw to remove those set previously.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From barry at list.org  Mon Jan  5 17:50:36 2009
From: barry at list.org (Barry Warsaw)
Date: Mon, 5 Jan 2009 11:50:36 -0500
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <PC187020090105084842059354ccc83b@msapiro>
References: <PC187020090105084842059354ccc83b@msapiro>
Message-ID: <FFD8BE9D-9DC5-45EB-9F12-4AA83B94296F@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 5, 2009, at 11:48 AM, Mark Sapiro wrote:

> I think Barry misunderstood which links you are talking about.

Yep.  Thanks, I just re-read the OP (in post-coffee mode :), so now I  
get it.

> The links on the list admin overview page to lists really reveal
> nothing but the names of public lists on the server. These are already
> available on the listinfo overview page and anyone who knows even a
> little bit about Mailman can easily construct admin or admindb links
> from the listinfo links. If you are concerned about revealing this,
> make all your lists advertised = No.
>
>> An random example: The official MailMan mailing list. Follow my
>> steps:
>>
>> 1 - Open this link: http://mail.python.org/mailman/admin
>>
>> 2 - After, click in "create a new mailing list"
>
>
> Likewise, anyone with even a little knowledge of Mailman can figure  
> out
> the URL to the create CGI.
>
> The answer is to use strong passwords, and if you are really  
> concerned,
> don't advertise any lists and remove Mailman's cgi-bin/create wrapper
> so lists can't be created from the web, or alternatively just don't
> set site admin or list creator passwords or remove data/adm.pw and
> data/creator.pw to remove those set previously.

Mark's suggestions are spot on.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkliOl0ACgkQ2YZpQepbvXF2yACfa9jcidXxfax6sLze5CJV4uXP
5qAAoK5gZzSRoCgdmpuvDrO8Jy79BdIT
=A81I
-----END PGP SIGNATURE-----

From pabs at debian.org  Mon Jan  5 17:51:28 2009
From: pabs at debian.org (Paul Wise)
Date: Tue, 6 Jan 2009 01:51:28 +0900
Subject: [Mailman-Developers] Mailman 2.x Roadmap
In-Reply-To: <PC18702009010508092507504200fe87@msapiro>
References: <e13a36b30901041950n6530114j141dc08e9eeb1638@mail.gmail.com>
	<PC18702009010508092507504200fe87@msapiro>
Message-ID: <e13a36b30901050851p26de6131g9c833fd3a0058af4@mail.gmail.com>

On Tue, Jan 6, 2009 at 1:09 AM, Mark Sapiro <mark at msapiro.net> wrote:

> Please don't start (or extend) a list of downstream things to look at
> in the week before a release. First of all, I'm just compulsive enough
> to actually look, but even so, the most likely result is I'll be
> overwhelmed, defer everything and then forget about it.
>
> If downstream patches are of general applicability or address bugs in
> the upstream distribution, they should be reported in the upstream
> tracker (currently <https://bugs.launchpad.net/mailman>).

My apologies. I'll try and find some time to post bugs and feature
requests for mm3, perhaps during LCA if not before then.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

From eazevedo at bsd.com.br  Mon Jan  5 18:27:26 2009
From: eazevedo at bsd.com.br (Edilson Azevedo)
Date: Mon, 5 Jan 2009 15:27:26 -0200
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <FFD8BE9D-9DC5-45EB-9F12-4AA83B94296F@list.org>
References: <PC187020090105084842059354ccc83b@msapiro>
	<FFD8BE9D-9DC5-45EB-9F12-4AA83B94296F@list.org>
Message-ID: <34729cd70901050927s79d67646xc573ca2e6aa56b80@mail.gmail.com>

Ok... thanks to all!!!

 But, I've a last doubt: Which the advantage in keep the creation of lists
open for the world? what would be the real advantage? I need to understand
before block the access.

THANKS!!!!!


On Mon, Jan 5, 2009 at 2:50 PM, Barry Warsaw <barry at list.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Jan 5, 2009, at 11:48 AM, Mark Sapiro wrote:
>
>  I think Barry misunderstood which links you are talking about.
>>
>
> Yep.  Thanks, I just re-read the OP (in post-coffee mode :), so now I get
> it.
>
>  The links on the list admin overview page to lists really reveal
>> nothing but the names of public lists on the server. These are already
>> available on the listinfo overview page and anyone who knows even a
>> little bit about Mailman can easily construct admin or admindb links
>> from the listinfo links. If you are concerned about revealing this,
>> make all your lists advertised = No.
>>
>>  An random example: The official MailMan mailing list. Follow my
>>> steps:
>>>
>>> 1 - Open this link: http://mail.python.org/mailman/admin
>>>
>>> 2 - After, click in "create a new mailing list"
>>>
>>
>>
>> Likewise, anyone with even a little knowledge of Mailman can figure out
>> the URL to the create CGI.
>>
>> The answer is to use strong passwords, and if you are really concerned,
>> don't advertise any lists and remove Mailman's cgi-bin/create wrapper
>> so lists can't be created from the web, or alternatively just don't
>> set site admin or list creator passwords or remove data/adm.pw and
>> data/creator.pw to remove those set previously.
>>
>
> Mark's suggestions are spot on.
>
> - -Barry
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
>
> iEYEARECAAYFAkliOl0ACgkQ2YZpQepbvXF2yACfa9jcidXxfax6sLze5CJV4uXP
> 5qAAoK5gZzSRoCgdmpuvDrO8Jy79BdIT
> =A81I
> -----END PGP SIGNATURE-----
>



-- 
Atenciosamente,

Edilson Azevedo
(19) 3787-3312
(12) 8156-5590
Mail / Gtalk: eazevedo at bsd.com.br

From mark at msapiro.net  Mon Jan  5 18:51:00 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 5 Jan 2009 09:51:00 -0800
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <34729cd70901050927s79d67646xc573ca2e6aa56b80@mail.gmail.com>
Message-ID: <PC187020090105095100046827709cd4@msapiro>

Edilson Azevedo wrote:
>
> But, I've a last doubt: Which the advantage in keep the creation of lists
>open for the world? what would be the real advantage? I need to understand
>before block the access.


You may have people within your organization or trusted customers or
whatever, depending on your circumstances, who you want to be able to
create lists even though they don't have the ability to run
bin/newlist on the Mailman server.

In this case, you would use bin/mmsitepass -c to set a list creator
password which you would share with these people so they could create
lists via the web.

Or, (this is a stretch) you might find yourself in a situation where
you need to create a list, but in that particular situation, you have
web access to the server but not shell access, and you could create a
list via the web with the Mailman site password.

If none of this applies to you, you don't need web create ability.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From skip at pobox.com  Mon Jan  5 19:12:31 2009
From: skip at pobox.com (skip at pobox.com)
Date: Mon, 5 Jan 2009 12:12:31 -0600
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <PC187020090105084842059354ccc83b@msapiro>
References: <34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
	<PC187020090105084842059354ccc83b@msapiro>
Message-ID: <18786.19855.566797.267429@montanaro.dyndns.org>


    Mark> The answer is to use strong passwords, and if you are really
    Mark> concerned, don't advertise any lists and remove Mailman's
    Mark> cgi-bin/create wrapper so lists can't be created from the web, or
    Mark> alternatively just don't set site admin or list creator passwords
    Mark> or remove data/adm.pw and data/creator.pw to remove those set
    Mark> previously.

I suspect the default should be to not expose those things.  I wasn't even
aware that list creation through the web was possible.  Based on the
extremely novice questions I see posted to mailman-users on occasion I
suspect many potential Mailman admins are unaware of this as well.  I fear
those admins are also the ones most likely to not create strong passwords.

Maybe all that's necessary is to install cgi-bin/create as
cgi-bin/create.disabled by default, set its permissions to not allow
execution and add a note to the installation docs about the consequences of
through-the-web list creation and how to set it up.

Skip


From thijs at debian.org  Mon Jan  5 19:19:23 2009
From: thijs at debian.org (Thijs Kinkhorst)
Date: Mon, 5 Jan 2009 19:19:23 +0100
Subject: [Mailman-Developers] Mailman 2.x Roadmap
In-Reply-To: <PC18702009010508092507504200fe87@msapiro>
References: <PC18702009010508092507504200fe87@msapiro>
Message-ID: <200901051919.25850.thijs@debian.org>

On Monday 5 January 2009 17:09, Mark Sapiro wrote:
> Please don't start (or extend) a list of downstream things to look at
> in the week before a release. First of all, I'm just compulsive enough
> to actually look, but even so, the most likely result is I'll be
> overwhelmed, defer everything and then forget about it.

I have on behalf of Debian a while ago reported a number of our patches to the 
SF.net tracker, which have not seen any response yet. It's not that we're not 
willing to contribute patches back, but the previous approach of reporting 
them to the patch tracker hasn't been fruitful. I have also sent selected 
patches to the development list in the past with the same result.
So I guessed I'd try something different instead.

> If downstream patches are of general applicability or address bugs in
> the upstream distribution, they should be reported in the upstream
> tracker (currently <https://bugs.launchpad.net/mailman>).

Do I understand it correctly that I should resubmit the patches to this new 
tracker?

We're quite willing to help you get useful patches integrated, but our time is 
also limited so I'm looking for the way that is most effective for both of 
us.

cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20090105/99bdc460/attachment.pgp>

From adam-mailman at amyl.org.uk  Mon Jan  5 19:20:54 2009
From: adam-mailman at amyl.org.uk (Adam McGreggor)
Date: Mon, 5 Jan 2009 18:20:54 +0000
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <18786.19855.566797.267429@montanaro.dyndns.org>
References: <34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
	<PC187020090105084842059354ccc83b@msapiro>
	<18786.19855.566797.267429@montanaro.dyndns.org>
Message-ID: <20090105182054.GP18966@amyl.org.uk>

On Mon, Jan 05, 2009 at 12:12:31PM -0600, skip at pobox.com wrote:
> Maybe all that's necessary is to install cgi-bin/create as
> cgi-bin/create.disabled by default, set its permissions to not allow
> execution and add a note to the installation docs about the consequences of
> through-the-web list creation and how to set it up.

Or perhaps those responsible for the set-up look at what's being set-up,
and take responsibility/make the choice themselves?

>From memory, and on Debian/FBSD systems at least, setting up Mailman still
requires intervention to sort out the web-interface/MTA integration --
even when packaged -- : that's good enough, imo.

-- 
``You can't be a real country unless you have a beer and an airline. It helps
  if you have some kind of a football team, or some nuclear weapons, but at
  the very least you need a beer.'' (Frank Zappa)

From skip at pobox.com  Mon Jan  5 19:46:21 2009
From: skip at pobox.com (skip at pobox.com)
Date: Mon, 5 Jan 2009 12:46:21 -0600
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <20090105182054.GP18966@amyl.org.uk>
References: <34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
	<PC187020090105084842059354ccc83b@msapiro>
	<18786.19855.566797.267429@montanaro.dyndns.org>
	<20090105182054.GP18966@amyl.org.uk>
Message-ID: <18786.21885.569192.913681@montanaro.dyndns.org>


    >> Maybe all that's necessary is to install cgi-bin/create as
    >> cgi-bin/create.disabled by default, set its permissions to not allow
    >> execution and add a note to the installation docs about the
    >> consequences of through-the-web list creation and how to set it up.

    Adam> Or perhaps those responsible for the set-up look at what's being
    Adam> set-up, and take responsibility/make the choice themselves?

People don't work that way.  I was a Unix admin back in the day when
virtually anybody could login to prep.ai.mit.edu.  Wide open systems were
probably wrong then and they are certainly wrong now.  It's simply foolish
to distribute software which by default has doors which are either open or
easily opened.

    Adam> From memory, and on Debian/FBSD systems at least, setting up
    Adam> Mailman still requires intervention to sort out the
    Adam> web-interface/MTA integration -- even when packaged -- : that's
    Adam> good enough, imo.

That's only one type of system.  It hardly represents the entire universe of
possible platforms.  Last time I looked Debian+FreeBSD didn't represent the
bulk of the servers on the Internet.  For better or worse I suspect that
distinction probably goes to Windows.

At work, for example, we run it on Solaris.  I'm pretty sure it wasn't
installed from some turnkey package.  I'm similarly sure whoever installed
it wasn't a sophisticated Mailman user and wasn't aware of the
cgi-bin/create script.  Does Mailman run on Windows?  If so, you're going to
have problems.  If not, then you are going to have people unfamiliar with
Unix systems (that is, people who only know Windows) installing it.  Damned
if you do.  Damned if you don't.

-- 
Skip Montanaro - skip at pobox.com - http://smontanaro.dyndns.org/

From barry at list.org  Mon Jan  5 20:03:40 2009
From: barry at list.org (Barry Warsaw)
Date: Mon, 5 Jan 2009 14:03:40 -0500
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <18786.19855.566797.267429@montanaro.dyndns.org>
References: <34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
	<PC187020090105084842059354ccc83b@msapiro>
	<18786.19855.566797.267429@montanaro.dyndns.org>
Message-ID: <CE5302D3-F992-4016-9B03-F3C8D346B11E@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 5, 2009, at 1:12 PM, skip at pobox.com wrote:

> I suspect the default should be to not expose those things.  I  
> wasn't even
> aware that list creation through the web was possible.  Based on the
> extremely novice questions I see posted to mailman-users on occasion I
> suspect many potential Mailman admins are unaware of this as well.   
> I fear
> those admins are also the ones most likely to not create strong  
> passwords.

Note that by default, it's not possible to create mailing lists  
through the web even though the link exists.  You have to create a  
site password or 'list creators' password to enable this feature.  A  
site admin should know enough to set these passwords to something  
strong and difficult to brute force.

Still, the suggestions for disabling this CGI is easy enough, and if  
you have shell access to create those passwords, you have shell access  
to disable the CGI.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkliWYwACgkQ2YZpQepbvXFM9wCaAifGNrsBzdL0Mf5RDmrf6jAj
BekAn0LvBA684d7AsE86eiEHjdyghLZX
=D1FM
-----END PGP SIGNATURE-----

From barry at list.org  Mon Jan  5 20:07:25 2009
From: barry at list.org (Barry Warsaw)
Date: Mon, 5 Jan 2009 14:07:25 -0500
Subject: [Mailman-Developers] Mailman 2.x Roadmap
In-Reply-To: <200901051919.25850.thijs@debian.org>
References: <PC18702009010508092507504200fe87@msapiro>
	<200901051919.25850.thijs@debian.org>
Message-ID: <856E05D8-C978-4C12-BDEC-39B6FDB13465@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 5, 2009, at 1:19 PM, Thijs Kinkhorst wrote:

> On Monday 5 January 2009 17:09, Mark Sapiro wrote:
>> Please don't start (or extend) a list of downstream things to look at
>> in the week before a release. First of all, I'm just compulsive  
>> enough
>> to actually look, but even so, the most likely result is I'll be
>> overwhelmed, defer everything and then forget about it.
>
> I have on behalf of Debian a while ago reported a number of our  
> patches to the
> SF.net tracker, which have not seen any response yet. It's not that  
> we're not
> willing to contribute patches back, but the previous approach of  
> reporting
> them to the patch tracker hasn't been fruitful. I have also sent  
> selected
> patches to the development list in the past with the same result.
> So I guessed I'd try something different instead.
>
>> If downstream patches are of general applicability or address bugs in
>> the upstream distribution, they should be reported in the upstream
>> tracker (currently <https://bugs.launchpad.net/mailman>).
>
> Do I understand it correctly that I should resubmit the patches to  
> this new
> tracker?
>
> We're quite willing to help you get useful patches integrated, but  
> our time is
> also limited so I'm looking for the way that is most effective for  
> both of
> us.

I'll let Mark determine what works best for him an MM2.x, but a couple  
of comments: first, the SF tracker issues /should/ have been migrated  
to Launchpad.  If not, it'll be quicker to resubmit them.

Second, I think in general if you can push bug fix branches to  
Launchpad and link them to the bug, they will be much easier to review  
and merge into the official branches.  Patches in a tracker are more  
difficult to use, but probably easier to generate.  You could also try  
'bzr send' to create a bundle, which is somewhere between a branch and  
a patch.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkliWm0ACgkQ2YZpQepbvXEzmQCdH7L8ir2kWqcgQnpWwZuj5/Yj
Za0AnR80n/z/z1ym/3kYSC1weFvaKIXP
=3AHS
-----END PGP SIGNATURE-----

From mark at msapiro.net  Mon Jan  5 20:12:48 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 5 Jan 2009 11:12:48 -0800
Subject: [Mailman-Developers] Mailman 2.x Roadmap
In-Reply-To: <200901051919.25850.thijs@debian.org>
Message-ID: <PC1870200901051112480484f67087d4@msapiro>

Thijs Kinkhorst wrote:
>
>On Monday 5 January 2009 17:09, Mark Sapiro wrote:
>> Please don't start (or extend) a list of downstream things to look at
>> in the week before a release. First of all, I'm just compulsive enough
>> to actually look, but even so, the most likely result is I'll be
>> overwhelmed, defer everything and then forget about it.
>
>I have on behalf of Debian a while ago reported a number of our patches to the
>SF.net tracker, which have not seen any response yet. It's not that we're not
>willing to contribute patches back, but the previous approach of reporting
>them to the patch tracker hasn't been fruitful. I have also sent selected
>patches to the development list in the past with the same result.
>So I guessed I'd try something different instead.


Of the 32 patches under the '"series" style patches'-header: at
http://patch-tracking.debian.net/package/mailman/1:2.1.11-8, two of
them carry the note "Submitted upstream" with a SF tracker URL and one
notes "Applied upstream"

Of the other 29, my first glance indicates at least four of them are
Debian specific, and one is to an unmaintained "contrib" module.

Many of the remaining 24 are like
<http://patch-tracking.debian.net/patch/series/view/mailman/1:2.1.11-8/00_stolen_from_HEAD.patch>
which carries the note: "Handle empty queue files." I see what this
patch does, but I am unable to see why it is necessary. If it were
reported in a tracker (I assume it's in a Debian tracker somewhere,
but why should I have to search for it?), at least I'd have some
information about symptoms and causes that would enable me to evaluate
it.

(and at the moment, your entire patch tracking system seems to be not
working since all the URLs which I recorded yesterday throw Python
exceptions at me today and the link you provided says "There was an
error processing ur request
can't find any package named or containing 'mailman'")



>> If downstream patches are of general applicability or address bugs in
>> the upstream distribution, they should be reported in the upstream
>> tracker (currently <https://bugs.launchpad.net/mailman>).
>
>Do I understand it correctly that I should resubmit the patches to this new
>tracker?


No. All the RFEs and bug reports were migrated from SF to the LP
tracker. Due to a processing glitch, patches more recent than
2002-04-03 were not migrated, but this is an issue we expect to fix.
See <https://bugs.launchpad.net/mailman/+bug/294223> for more on this
migration glitch.

Again, you don't have to resubmit anything from the SF tracker.


>We're quite willing to help you get useful patches integrated, but our time is
>also limited so I'm looking for the way that is most effective for both of
>us.


I appreciate that, and I am well aware that there is stuff in the
tracker that has been sitting unattended for a long while. I am trying
to attend to new tracker items as they arrive (at least those that
address bugs) and hopefully the old ones will get looked at too.

No system is perfect, but in general, the upstream tracker is the best
place. At least things can be found there, whereas things buried in
mailboxes or the archives of mailing lists are much more likely to be
overlooked.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From barry at list.org  Mon Jan  5 20:35:54 2009
From: barry at list.org (Barry Warsaw)
Date: Mon, 5 Jan 2009 14:35:54 -0500
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <F633A926-FCFD-40E9-9341-5BB774AB5255@zone12.com>
References: <34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
	<PC187020090105084842059354ccc83b@msapiro>
	<18786.19855.566797.267429@montanaro.dyndns.org>
	<CE5302D3-F992-4016-9B03-F3C8D346B11E@list.org>
	<F633A926-FCFD-40E9-9341-5BB774AB5255@zone12.com>
Message-ID: <9F63E3E4-FABB-4F56-9113-B591E9460FA1@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 5, 2009, at 2:25 PM, Terri Oda wrote:

> This seems like it might be more of a failure in documentation/ 
> understanding than a failure in security.  All this information is  
> readily available (both about the fact that you can create from the  
> web by default, and the fact that this can be disabled) but  
> obviously people aren't finding it or don't even know to look for it.
>
> I'll try to poke around and figure out where to put it when I get  
> home from work.  I'm guessing we could use some pointers in the  
> install guides?  Or perhaps I should work up a short intro to  
> mailman security for new users who don't know the likely attack  
> points?

I think a separate section on security concerns would be really helpful.

Thanks!
- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkliYRoACgkQ2YZpQepbvXFfqQCgpzjGrhBDEfvcdEH/BMnGgsLq
UzsAnAnsOAqJUkIzcDBL0DRYS0qtLGgO
=kAeJ
-----END PGP SIGNATURE-----

From mark at msapiro.net  Mon Jan  5 20:40:54 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 5 Jan 2009 11:40:54 -0800
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <CE5302D3-F992-4016-9B03-F3C8D346B11E@list.org>
Message-ID: <PC1870200901051140540828870c8672@msapiro>

Barry Warsaw wrote:
>
>On Jan 5, 2009, at 1:12 PM, skip at pobox.com wrote:
>
>> I suspect the default should be to not expose those things.  I  
>> wasn't even
>> aware that list creation through the web was possible.  Based on the
>> extremely novice questions I see posted to mailman-users on occasion I
>> suspect many potential Mailman admins are unaware of this as well.   
>> I fear
>> those admins are also the ones most likely to not create strong  
>> passwords.
>
>Note that by default, it's not possible to create mailing lists  
>through the web even though the link exists.  You have to create a  
>site password or 'list creators' password to enable this feature.  A  
>site admin should know enough to set these passwords to something  
>strong and difficult to brute force.
>
>Still, the suggestions for disabling this CGI is easy enough, and if  
>you have shell access to create those passwords, you have shell access  
>to disable the CGI.


As Barry points out, the door is neither open nor easily opened by
default.

Also, in a default installation, alias generation is manual, and
creating a list from the web is not sufficient to make it work.

Further, I think this whole list create issue is a red herring. If I
were a black-hat looking to create a list on your server to use for my
own nefarious purposes, I think I'd use my dictionary attack to try to
access the admin interface of an existing list where the password is
more likely to be weak. Once I have the admin password for an existing
list, I can do anything with that list that I might have done with a
new list, and incidentally do more damage to the installation (or at
least that one list) in the process.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From terri at zone12.com  Mon Jan  5 20:25:17 2009
From: terri at zone12.com (Terri Oda)
Date: Mon, 5 Jan 2009 14:25:17 -0500
Subject: [Mailman-Developers] Doubt about security
In-Reply-To: <CE5302D3-F992-4016-9B03-F3C8D346B11E@list.org>
References: <34729cd70901050612l4e1835e8kca692dd217c247a2@mail.gmail.com>
	<PC187020090105084842059354ccc83b@msapiro>
	<18786.19855.566797.267429@montanaro.dyndns.org>
	<CE5302D3-F992-4016-9B03-F3C8D346B11E@list.org>
Message-ID: <F633A926-FCFD-40E9-9341-5BB774AB5255@zone12.com>

On 2009-Jan-5, at 2:03 PM, Barry Warsaw wrote:
>> I suspect the default should be to not expose those things.  I  
>> wasn't even
>> aware that list creation through the web was possible.  Based on the
>> extremely novice questions I see posted to mailman-users on  
>> occasion I
>> suspect many potential Mailman admins are unaware of this as well.   
>> I fear
>> those admins are also the ones most likely to not create strong  
>> passwords.
> Note that by default, it's not possible to create mailing lists  
> through the web even though the link exists.  You have to create a  
> site password or 'list creators' password to enable this feature.  A  
> site admin should know enough to set these passwords to something  
> strong and difficult to brute force.
> Still, the suggestions for disabling this CGI is easy enough, and if  
> you have shell access to create those passwords, you have shell  
> access to disable the CGI.

This seems like it might be more of a failure in documentation/ 
understanding than a failure in security.  All this information is  
readily available (both about the fact that you can create from the  
web by default, and the fact that this can be disabled) but obviously  
people aren't finding it or don't even know to look for it.

I'll try to poke around and figure out where to put it when I get home  
from work.  I'm guessing we could use some pointers in the install  
guides?  Or perhaps I should work up a short intro to mailman security  
for new users who don't know the likely attack points?

  Terri


From barry at list.org  Wed Jan  7 05:50:38 2009
From: barry at list.org (Barry Warsaw)
Date: Tue, 6 Jan 2009 23:50:38 -0500
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <20090105002904.GA10157@state-of-mind.de>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
	<20090102224456.GA28144@state-of-mind.de>
	<B98D1A94-5DC6-42BE-935B-07F1B7944732@list.org>
	<20090103230024.GA2218@state-of-mind.de>
	<20090104172103.2846298c@resist.wooz.org>
	<20090104235845.GC8986@state-of-mind.de>
	<20090104191538.1fc2edd8@resist.wooz.org>
	<20090105002904.GA10157@state-of-mind.de>
Message-ID: <FAE1C563-EF87-4085-8208-5191791C4A76@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 4, 2009, at 7:29 PM, Patrick Ben Koetter wrote:

> * Barry Warsaw <barry at list.org>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On Jan 05, 2009, at 12:58 AM, Patrick Ben Koetter wrote:
>>
>>> Thanks. Minor bug fix in the docco, though. Destination syntax for  
>>> lmtp
>>> targets in the transport table requires a fourth parameter:  
>>> service type.
>>
>> I'm not sure it requires it; I saw that in the Postfix  
>> documentation, but my
>> current genaliases implementation doesn't write the 'inet'  
>> argument.  It still
>> seems to work.  Better to be correct though, so I'll fix that.
>
> Victor pointed it out on the Postfix mailing list. It's probably  
> better to be
> on the precise side in this case. In case you want to do more  
> reading, take a
> look at lmtp(8).

This is fixed in the 3.0 branch now.
- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAklkNJ4ACgkQ2YZpQepbvXHn+ACgn4Y6GdrNfeVTIn4XEilOd8tK
dK8AoKWlKUBc5VW4RKlpG8RY2wGCqjSq
=NDQP
-----END PGP SIGNATURE-----

From barry at list.org  Wed Jan  7 06:02:33 2009
From: barry at list.org (Barry Warsaw)
Date: Wed, 7 Jan 2009 00:02:33 -0500
Subject: [Mailman-Developers] Mailman 3 and LTMP
In-Reply-To: <965FF7758F2DE4866C1B65CE@lewes.staff.uscs.susx.ac.uk>
References: <9862BBE7-B71D-4D64-B842-F5DF90AC8DBC@list.org>
	<965FF7758F2DE4866C1B65CE@lewes.staff.uscs.susx.ac.uk>
Message-ID: <7428130F-FC09-4823-BA95-BD33492CC624@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 5, 2009, at 6:03 AM, Ian Eiloart wrote:

> I've added a note to the docs about Exim's callout features. They  
> allow Exim to determine not only whether the list exists, but  
> whether the list will accept mail from the current sender - before  
> accepting the message for delivery. I'll fill in the details later.

Thanks.  I've added a NullMTA class that can be used for Exim, which  
doesn't require an alias file write.  You'd use it by adding this to  
your .cfg file:

[mta]
incoming: mailman.mta.null.NullMTA

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAklkN2kACgkQ2YZpQepbvXGW/ACfef755PghiLN32pSPso2SaVr2
e74Ani7xePXWtj6FjBUcm373lL1h8XTk
=tUgP
-----END PGP SIGNATURE-----

From fil at rezo.net  Wed Jan  7 15:43:51 2009
From: fil at rezo.net (Fil)
Date: Wed, 7 Jan 2009 15:43:51 +0100
Subject: [Mailman-Developers] "Orignal" MySQL Member Adaptor - 1.71
In-Reply-To: <48DCCEB2.5030304@ore.org>
References: <48DCCEB2.5030304@ore.org>
Message-ID: <bfc33ad70901070643w684e9b62t6a2cc629edf2ffc5@mail.gmail.com>

> It should according to the docs I found, provided I've applied them
> correctly, fix the non-ASCII character encoding problems (I've relied on
> the assertions about list members to cover that angle, and just checked
> encoding on the 'user supplied' parameters to various function calls).

Hi Kev,

I finally got the time to look at your character encoding problem and
patch, and I was not able to make it work. I still getting the dreaded
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in
position 1: ordinal not in range(128)

On my version of MysqlMemberships.py there is a centralized function
which does the escaping and is used on every sql request:

    def escape(self, value):
        # transforms accents into html entities (&#233;)
        # TODO: find out which language is current (here: uses iso-8859-1)
        value = Utils.uncanonstr(value)
        # addslashes before " and '
        return MySQLdb.escape_string(value)


I tried to add your unicode logic at this point, but to no avail. And
BTW I also need the thing to be functional both with utf8 and
iso-8859-1.


For people who'd like to join in the conversation, the logic I'm
refferring to is the following:
        # safe unicode strings encoded for mysql
        # http://effbot.org/pyfaq/what-does-unicodeerror-ascii-decoding-encoding-error-ordinal-not-in-range-128-mean.htm
        try:
            unicode(value, "ascii")
        except UnicodeError:
            value = unicode(value, "utf-8")
        else:
            # value was valid ASCII data
            pass

-- Fil

From kyrian-list at ore.org  Wed Jan  7 16:50:11 2009
From: kyrian-list at ore.org (kyrian (List))
Date: Wed, 07 Jan 2009 15:50:11 +0000
Subject: [Mailman-Developers] "Orignal" MySQL Member Adaptor - 1.71
In-Reply-To: <bfc33ad70901070643w684e9b62t6a2cc629edf2ffc5@mail.gmail.com>
References: <48DCCEB2.5030304@ore.org>
	<bfc33ad70901070643w684e9b62t6a2cc629edf2ffc5@mail.gmail.com>
Message-ID: <4964CF33.7070707@ore.org>

Fil wrote:
>> It should according to the docs I found, provided I've applied them
>> correctly, fix the non-ASCII character encoding problems (I've relied on
>> the assertions about list members to cover that angle, and just checked
>> encoding on the 'user supplied' parameters to various function calls).
>>     
> I finally got the time to look at your character encoding problem and
> patch, and I was not able to make it work. I still getting the dreaded
> UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in
> position 1: ordinal not in range(128)
>
>   
Seems my "lucky guess" was not so lucky ;-)

I'm pretty sure I said I though it would work but hadn't actually tested 
it, anyways. I don't currently have a 'live' mailman+mysql instance 
anywhere to test with, for a start. I've got a dedicated development 
server set up but not migrated anything like that to it yet.

Also I'm afraid that I'm quite engrossed in writing a plugin for Pidgin 
and playing with Asterisk VoIP at the moment, and hadn't really settled 
on a time to look at MM again for a while. My first priority would be to 
resolve the horrible performance problem without losing the name info as 
per a previous email, and then I might look at this, when I get started 
back on it again.

The gist of the problem seems to be that you need to treat the strings 
as utf-8 or iso-8859-1 encoded 'objects' rather than standard ASCII 
string types within the code, and I don't know for sure how to do that. 
I'd have to research it as much as you would, unless anyone on-list has 
a suggestion about it, or can send me a copy of the Python book that I 
can reference for this.

K.

-- 
Kev Green, aka Kyrian. E: kyrian&#64;ore.org WWW: http://kyrian.ore.org/
Linux/Security Contractor/LAMP Coder/ISP, via http://www.orenet.co.uk/
                 DJ via http://www.hellnoise.co.uk/

Human Rights left unattended may be Removed, or Destroyed, or Damaged 
                      by the Security Services.


From fil at rezo.net  Wed Jan  7 17:14:29 2009
From: fil at rezo.net (Fil)
Date: Wed, 7 Jan 2009 17:14:29 +0100
Subject: [Mailman-Developers] "Orignal" MySQL Member Adaptor - 1.71
In-Reply-To: <4964CF33.7070707@ore.org>
References: <48DCCEB2.5030304@ore.org>
	<bfc33ad70901070643w684e9b62t6a2cc629edf2ffc5@mail.gmail.com>
	<4964CF33.7070707@ore.org>
Message-ID: <bfc33ad70901070814k10408002nccbe9ea6fe7a1815@mail.gmail.com>

> I'm pretty sure I said I though it would work but hadn't actually tested it,
> anyways.

Indeed I was warned :-)


> time to look at MM again for a while. My first priority would be to resolve
> the horrible performance problem without losing the name info as per a
> previous email, and then I might look at this, when I get started back on it
> again.

I've re-read your email re: the names issue, and I don't understand
what the problem is.

getMembersMatching() does indeed only return the adresses of all users
whose email OR name matches the regexp; then Cgi/admin.py displays no
more than 50 of these, which results in maximum 50 calls to MySQL to
fetch the name information. I assert that:
* a search on a name returns the user, even if the search string does
not appear in its email
* the users' names ARE displayed in the resulting page.

-- Fil

From mark at msapiro.net  Wed Jan  7 17:18:28 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 7 Jan 2009 08:18:28 -0800
Subject: [Mailman-Developers] "Orignal" MySQL Member Adaptor - 1.71
In-Reply-To: <4964CF33.7070707@ore.org>
Message-ID: <PC1870200901070818280828d9672818@msapiro>

kyrian (List) wrote:
>
>The gist of the problem seems to be that you need to treat the strings 
>as utf-8 or iso-8859-1 encoded 'objects' rather than standard ASCII 
>string types within the code, and I don't know for sure how to do that.

And you have to know which because there are iso-8859-1 encoded
characters which aren't valid utf-8 codes and there are utf-8 encoded
characters which get garbled if decoded as iso-8859-1.

Thus, code like

        try:
            unicode(value, "ascii")
        except UnicodeError:
            value = unicode(value, "utf-8")
        else:
            # value was valid ASCII data
            pass

which I think is no different from simply

        value = unicode(value, "utf-8")

since if value is ascii to begin with, calling it utf-8 is OK,

doesn't work if value is actually iso-8859-1 encoded and contains bytes
which aren't valid utf-8 or which decode differently from utf-8.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From fil at rezo.net  Wed Jan  7 18:29:55 2009
From: fil at rezo.net (Fil)
Date: Wed, 7 Jan 2009 18:29:55 +0100
Subject: [Mailman-Developers] "Orignal" MySQL Member Adaptor - 1.71
In-Reply-To: <PC1870200901070818280828d9672818@msapiro>
References: <4964CF33.7070707@ore.org>
	<PC1870200901070818280828d9672818@msapiro>
Message-ID: <bfc33ad70901070929l318bad7bn8d4a619ed1c4647b@mail.gmail.com>

I was able to go a bit further with the script below. Unfortunately
when that utf-8-encoded mysql-escaped string goes back up into MySQLdb
I get hit by another encoding error inside MySQLdb. So my best for the
moment is to stay with my current implementation which escapes all
strings to html decimal entities.



#!/usr/bin/python

import os, sys
import MySQLdb
from types import StringType,UnicodeType

a='\'And"r?'

try:
  b=unicode(a,'utf-8')
except:
  b=unicode(a,'latin-1')

print b.encode('latin-1')
print b.encode('utf-8')

print MySQLdb.escape_string(b.encode('utf-8'))



-- Fil

From fil at rezo.net  Wed Jan  7 18:44:58 2009
From: fil at rezo.net (Fil)
Date: Wed, 7 Jan 2009 18:44:58 +0100
Subject: [Mailman-Developers] "Orignal" MySQL Member Adaptor - 1.71
In-Reply-To: <bfc33ad70901070929l318bad7bn8d4a619ed1c4647b@mail.gmail.com>
References: <4964CF33.7070707@ore.org>
	<PC1870200901070818280828d9672818@msapiro>
	<bfc33ad70901070929l318bad7bn8d4a619ed1c4647b@mail.gmail.com>
Message-ID: <bfc33ad70901070944k1b5f8de7j1d588f9c92d3e50d@mail.gmail.com>

OK I get something working with the following:


    def escape(self, value):
        try:
            b = unicode(value,'utf-8')
        except:
            try:
                b = unicode(value,'latin-1')
            except:
                b = value
        return unicode(MySQLdb.escape_string(b.encode('utf-8')),'utf-8')


will try a little more and commit if it works

From joostvb-mailman-developers at mdcc.cx  Wed Jan  7 18:20:25 2009
From: joostvb-mailman-developers at mdcc.cx (Joost van Baal)
Date: Wed, 7 Jan 2009 18:20:25 +0100
Subject: [Mailman-Developers] mailman-pgp-smime: talks at FOSDEM and in Ulm,
	new release
Message-ID: <20090107172025.GH12474@bruhat.mdcc.cx>

Hi,

Thanks to the NLnet foundation, the Secure List Server project (
http://non-gnu.uvt.nl/mailman-pgp-smime/ ) , which is including OpenPGP and
S/MIME support in Mailman has released a much improved mailman-pgp-smime patch:
http://non-gnu.uvt.nl/pub/mailman/mailman-2.1.11-pgp-smime_2009-01-02.patch.gz
.  See http://non-gnu.uvt.nl/mailman-pgp-smime/NEWS.PGP-SMIME for the details.

There'll be talks about this patch:

On monday january 12 I'll talk at the Chaos Seminar</a> in Ulm, Germany,
see http://ulm.ccc.de/ChaosSeminar/2009/01_Mailman_PGP_SMIME .

On sunday february 8th, 10h20 (probably), I'll give a lightning talk at the
FOSDEM conference, ULB Campus Solbosch, Brussels, Belgium.  See
http://fosdem.org/2009/node/164.

The talk will start with a very short overview of the history of Mailman and
the mailman-pgp-smime project.  Some remarks will be made on how to install and
configure the software, so that one can try it.  Currently supported features
will be mentioned, as well as an overview of development plans.  One will learn
how to contribute to the project; an overview of the revision control system
used will be given.  Some remarks on the future of the patch will be made: will
it be shipped with Mailman itself?

If you have used Mailman, both as a subscriber and as a list admin, and if
you know what PGP and S/MIME are, you should definitely attend this talk.

Hope to meet you there!

Bye,

Joost

-- 
irc:joostvb@{OFTC,freenode} ? http://mdcc.cx/ ? http://ad1810.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20090107/64c78c98/attachment.pgp>

From barry at list.org  Wed Jan  7 22:01:02 2009
From: barry at list.org (Barry Warsaw)
Date: Wed, 7 Jan 2009 16:01:02 -0500
Subject: [Mailman-Developers] MySQL Member Adaptor(s) - Various comments.
In-Reply-To: <48DE30E9.30501@ore.org>
References: <48DCCEB2.5030304@ore.org>	
	<bfc33ad70809260832o919af7bi5212fba1dc294151@mail.gmail.com>	
	<48DD2076.2070307@ore.org>
	<bfc33ad70809270043u237c503cs6b5d73d001942036@mail.gmail.com>
	<48DE30E9.30501@ore.org>
Message-ID: <C271477E-333B-48D0-A5D1-14151A419FC2@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sep 27, 2008, at 9:11 AM, Kyrian (List) wrote:

> About MM3 resources:
>
> Thanks, these will be noted in my Wiki for whenever I find time to  
> look at it.

Let me just mention that MM3 is built on the Storm ORM for Python,  
which in theory should make it fairly trivial to hook it up to MySQL.   
I haven't tried it yet though, since MM3 will use SQLite by default  
(since that comes with Python 2.6).  Tests and contributions are  
welcome.

Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkllGA8ACgkQ2YZpQepbvXGr0QCgkavbb/KBrxCiAxorqqJzjKXf
E08Anj1dQ9qMNiULdjD+fVLv/d8uzZhN
=1/z1
-----END PGP SIGNATURE-----

From mark at msapiro.net  Thu Jan  8 01:40:37 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Wed, 7 Jan 2009 16:40:37 -0800
Subject: [Mailman-Developers] "Orignal" MySQL Member Adaptor - 1.71
In-Reply-To: <bfc33ad70901070944k1b5f8de7j1d588f9c92d3e50d@mail.gmail.com>
Message-ID: <PC18702009010716403706719d34bf84@msapiro>

Fil wrote:

>OK I get something working with the following:
>
>
>    def escape(self, value):
>        try:
>            b = unicode(value,'utf-8')
>        except:
>            try:
>                b = unicode(value,'latin-1')
>            except:
>                b = value
>        return unicode(MySQLdb.escape_string(b.encode('utf-8')),'utf-8')
>
>
>will try a little more and commit if it works


I'm not totally up on what you're doing here, but I assume that value
is something like the member's real name.

In this case I think you may want something like

>From Mailman import Utils
...
    def escape(self, value):
        lcset = Utils.GetCharSet(mlist.preferred_language)
        b = unicode(value, lcset)
        ...

I.e. text items relating to a list or a member are normally either
unicodes to begin with or they are encoded in the character set of the
list's preferred language.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From barry at list.org  Thu Jan  8 22:22:38 2009
From: barry at list.org (Barry Warsaw)
Date: Thu, 8 Jan 2009 16:22:38 -0500
Subject: [Mailman-Developers] mailman-pgp-smime: talks at FOSDEM and in
	Ulm, new release
In-Reply-To: <20090107172025.GH12474@bruhat.mdcc.cx>
References: <20090107172025.GH12474@bruhat.mdcc.cx>
Message-ID: <D92C8C6C-E5A7-49E1-8554-08FA23E50B19@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 7, 2009, at 12:20 PM, Joost van Baal wrote:

> Thanks to the NLnet foundation, the Secure List Server project (
> http://non-gnu.uvt.nl/mailman-pgp-smime/ ) , which is including  
> OpenPGP and
> S/MIME support in Mailman has released a much improved mailman-pgp- 
> smime patch:
> http://non-gnu.uvt.nl/pub/mailman/mailman-2.1.11-pgp-smime_2009-01-02.patch.gz
> .  See http://non-gnu.uvt.nl/mailman-pgp-smime/NEWS.PGP-SMIME for  
> the details.
>
> There'll be talks about this patch:
>
> On monday january 12 I'll talk at the Chaos Seminar</a> in Ulm,  
> Germany,
> see http://ulm.ccc.de/ChaosSeminar/2009/01_Mailman_PGP_SMIME .
>
> On sunday february 8th, 10h20 (probably), I'll give a lightning talk  
> at the
> FOSDEM conference, ULB Campus Solbosch, Brussels, Belgium.  See
> http://fosdem.org/2009/node/164.
>
> The talk will start with a very short overview of the history of  
> Mailman and
> the mailman-pgp-smime project.  Some remarks will be made on how to  
> install and
> configure the software, so that one can try it.  Currently supported  
> features
> will be mentioned, as well as an overview of development plans.  One  
> will learn
> how to contribute to the project; an overview of the revision  
> control system
> used will be given.  Some remarks on the future of the patch will be  
> made: will
> it be shipped with Mailman itself?
>
> If you have used Mailman, both as a subscriber and as a list admin,  
> and if
> you know what PGP and S/MIME are, you should definitely attend this  
> talk.
>
> Hope to meet you there!

Very cool!  I wish I could be there.

I'm very interested in seeing how we could incorporate this work into  
Mailman 3, either as a core piece, or as an easy to install, use, and  
develop plugin.

Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAklmbp4ACgkQ2YZpQepbvXEoyACfcWJiLO0ekeYov7LUOKqZ7S3R
lUoAoI/tNURbL6TDmzJ30QC044y2xM3R
=cpel
-----END PGP SIGNATURE-----

From stefan.schlott at ulm.ccc.de  Fri Jan  9 10:31:37 2009
From: stefan.schlott at ulm.ccc.de (Stefan Schlott)
Date: Fri, 09 Jan 2009 10:31:37 +0100
Subject: [Mailman-Developers] mailman-pgp-smime: talks at FOSDEM and in
 Ulm, new release
In-Reply-To: <D92C8C6C-E5A7-49E1-8554-08FA23E50B19@list.org>
References: <20090107172025.GH12474@bruhat.mdcc.cx>
	<D92C8C6C-E5A7-49E1-8554-08FA23E50B19@list.org>
Message-ID: <49671979.2010505@ulm.ccc.de>

Hi,

>> On monday january 12 I'll talk at the Chaos Seminar</a> in Ulm, Germany,
>> see http://ulm.ccc.de/ChaosSeminar/2009/01_Mailman_PGP_SMIME .

> Very cool!  I wish I could be there.

The CCC team of Ulm usually records these talks on video (although it
sometimes takes some time until they are published).


Stefan.

From barry at list.org  Sat Jan 10 01:46:46 2009
From: barry at list.org (Barry Warsaw)
Date: Fri, 9 Jan 2009 19:46:46 -0500
Subject: [Mailman-Developers] mailman-pgp-smime: talks at FOSDEM and in
	Ulm, new release
In-Reply-To: <49671979.2010505@ulm.ccc.de>
References: <20090107172025.GH12474@bruhat.mdcc.cx>
	<D92C8C6C-E5A7-49E1-8554-08FA23E50B19@list.org>
	<49671979.2010505@ulm.ccc.de>
Message-ID: <7C25CF1F-9563-4836-8318-4609BBC4850D@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 9, 2009, at 4:31 AM, Stefan Schlott wrote:

>>> On monday january 12 I'll talk at the Chaos Seminar</a> in Ulm,  
>>> Germany,
>>> see http://ulm.ccc.de/ChaosSeminar/2009/01_Mailman_PGP_SMIME .
>
>> Very cool!  I wish I could be there.
>
> The CCC team of Ulm usually records these talks on video (although it
> sometimes takes some time until they are published).

Nice.  Please let us know when they're up.

Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkln7/cACgkQ2YZpQepbvXG10QCfcknDN4U/2t0FgzhldaDTlHbp
UXkAniblUw7n9FPiakyKMHda/DXD/T2Y
=aeY9
-----END PGP SIGNATURE-----

From mark at msapiro.net  Sun Jan 11 22:01:57 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Sun, 11 Jan 2009 13:01:57 -0800
Subject: [Mailman-Developers] Mailman 2.1.12rc1 Released
In-Reply-To: <PC187020090103115138045396e273ab@msapiro>
Message-ID: <PC18702009011113015709686c2fcb41@msapiro>

I am happy to announce the first release candidate of Mailman 2.1.12. 
 
Mailman 2.1.12 is a minor bug fix and Python 2.6 compatibility release.

The minimum Python for this release is Python 2.4 and it is compatible
with Python through 2.6. The previous Mailman releases are not
compatible with Python 2.6.

See the release notes at
<https://sourceforge.net/project/shownotes.php?release_id=653108&group_id=103>
for more details. 
 
Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites. 
 
For more information, including download links, please see: 
 
http://www.list.org 
http://mailman.sf.net 
http://www.gnu.org/software/mailman 


Note to translators:

The mailman.pot is up to date in this release and has been merged with
the individual message catalogs. If possible, please review your
translations and submit any changes before the end of January.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From mark at msapiro.net  Mon Jan 12 19:39:24 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 12 Jan 2009 10:39:24 -0800
Subject: [Mailman-Developers] [Mailman-Announce] Mailman 2.1.12rc1
	Released
In-Reply-To: <PC18702009011113015709686c2fcb41@msapiro>
Message-ID: <PC18702009011210392404211ebf3cbd@msapiro>

Mark Sapiro wrote:

>I am happy to announce the first release candidate of Mailman 2.1.12. 
> 
>Mailman 2.1.12 is a minor bug fix and Python 2.6 compatibility release.
>
>The minimum Python for this release is Python 2.4 and it is compatible
>with Python through 2.6. The previous Mailman releases are not
>compatible with Python 2.6.


I have discovered a compatibility issue between Mailman 2.1.12rc1 and
Python 2.4. As a result of the Python 2.6 compatibility changes, we no
longer install the email 2.5.8 package in Mailman's pythonlib if
Python's email version is greater.

This creates a problem when Python's email is 3.0.1 which is the Python
2.4 package. There is no problem with the email 4.0.x packages in
Python 2.5+.

The following patch to Scrubber.py works around the incompatibility and
will be included in subsequent 2.1.12 releases.

=== modified file 'Mailman/Handlers/Scrubber.py'
--- Mailman/Handlers/Scrubber.py        2008-12-01 04:30:43 +0000
+++ Mailman/Handlers/Scrubber.py        2009-01-12 17:45:14 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2001-2008 by the Free Software Foundation, Inc.
+# Copyright (C) 2001-2009 by the Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -167,6 +167,9 @@
     # message by a text (scrubbing).
     del msg['content-type']
     del msg['content-transfer-encoding']
+    if isinstance(charset, unicode):
+        # email 3.0.1 (python 2.4) doesn't like unicode
+        charset = charset.encode('us-ascii')
     msg.set_payload(text, charset)


-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From p at state-of-mind.de  Sun Jan 18 20:59:45 2009
From: p at state-of-mind.de (Patrick Ben Koetter)
Date: Sun, 18 Jan 2009 20:59:45 +0100
Subject: [Mailman-Developers] ANNOUNCE: GNU Mailman 3.0a2 (Grand	Designs)
In-Reply-To: <E7FD501A-F62B-442C-9FE6-0F6DF83F56A0@list.org>
References: <E7FD501A-F62B-442C-9FE6-0F6DF83F56A0@list.org>
Message-ID: <20090118195945.GC26900@state-of-mind.de>

* Barry Warsaw <barry at list.org>:
> For detailed information on 3.0a2, please read docs/ALPHA.txt.  This  
> file explains how to build Mailman and run the test suite.  The docs/ 
> NEWS.txt file contains high level descriptions of what's changed since  
> 3.0a1.  Most notably are the new configuration system, the better test  
> suite and installation process, and the new LMTP support.  Mailman 3  
> also contains extensive doctests which explain how certain subsystems  
> work.

I'm having problems to build MM3 and I am unexperienced enough with Python
(including bzr) to tell if its me or any program standing in the way.

So far I have successfully built Python 2.6 on a vanilla Ubuntu/Hardy virtual
machine.

Then I followed docs/ALPHA.txt from mailman-3.0.0a2 and tried to checkout
megamerge. I get this and believe I shouldn't:

# bzr branch lp:~barry/lazr.config/megamerge
bzr: ERROR: Not a branch: "https://code.launchpad.net/".

I can't tell if its a configuration error on my side or a real error. Any
help greatly appreciated.

p at rick

-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563

From mark at msapiro.net  Sun Jan 18 23:33:24 2009
From: mark at msapiro.net (Mark Sapiro)
Date: Sun, 18 Jan 2009 14:33:24 -0800
Subject: [Mailman-Developers] ANNOUNCE: GNU Mailman 3.0a2 (Grand	Designs)
In-Reply-To: <20090118195945.GC26900@state-of-mind.de>
Message-ID: <PC187020090118143324007885571de6@msapiro>

Patrick Ben Koetter wrote:
>
>Then I followed docs/ALPHA.txt from mailman-3.0.0a2 and tried to checkout
>megamerge. I get this and believe I shouldn't:
>
># bzr branch lp:~barry/lazr.config/megamerge
>bzr: ERROR: Not a branch: "https://code.launchpad.net/".
>
>I can't tell if its a configuration error on my side or a real error. Any
>help greatly appreciated.


It seems to be a real error. I don't see that branch on launchpad, and
I can't get it either.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


From barry at list.org  Mon Jan 19 15:34:29 2009
From: barry at list.org (Barry Warsaw)
Date: Mon, 19 Jan 2009 09:34:29 -0500
Subject: [Mailman-Developers] ANNOUNCE: GNU Mailman 3.0a2 (Grand	Designs)
In-Reply-To: <20090118195945.GC26900@state-of-mind.de>
References: <E7FD501A-F62B-442C-9FE6-0F6DF83F56A0@list.org>
	<20090118195945.GC26900@state-of-mind.de>
Message-ID: <C7BEDADD-9308-4E2C-B291-0FDCB5E81CA3@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 18, 2009, at 2:59 PM, Patrick Ben Koetter wrote:

> * Barry Warsaw <barry at list.org>:
>> For detailed information on 3.0a2, please read docs/ALPHA.txt.  This
>> file explains how to build Mailman and run the test suite.  The docs/
>> NEWS.txt file contains high level descriptions of what's changed  
>> since
>> 3.0a1.  Most notably are the new configuration system, the better  
>> test
>> suite and installation process, and the new LMTP support.  Mailman 3
>> also contains extensive doctests which explain how certain subsystems
>> work.
>
> I'm having problems to build MM3 and I am unexperienced enough with  
> Python
> (including bzr) to tell if its me or any program standing in the way.
>
> So far I have successfully built Python 2.6 on a vanilla Ubuntu/ 
> Hardy virtual
> machine.
>
> Then I followed docs/ALPHA.txt from mailman-3.0.0a2 and tried to  
> checkout
> megamerge. I get this and believe I shouldn't:
>
> # bzr branch lp:~barry/lazr.config/megamerge
> bzr: ERROR: Not a branch: "https://code.launchpad.net/".
>
> I can't tell if its a configuration error on my side or a real  
> error. Any
> help greatly appreciated.

The megamerge branch was merged into lazr.config proper and release as  
lazr.config 1.1. So you don't need this branch.  The bzr branch of  
mm3.0 is up-to-date now, but from the tarball, you should just skip  
this step and edit buildout.cfg so that the "develop" line only  
contains a single dot.

Note that bin/test may break for you.  If it does, I have a  
workaround, but I don't yet know if the problem is in buildout or  
mailman.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkl0j3UACgkQ2YZpQepbvXHMpQCgkUn18wfHD/CzyYFdHwGP5FPC
dFkAniwvzKfba/02c4xWtaF53Rz2+acA
=dlOn
-----END PGP SIGNATURE-----

From p at state-of-mind.de  Mon Jan 19 21:08:45 2009
From: p at state-of-mind.de (Patrick Ben Koetter)
Date: Mon, 19 Jan 2009 21:08:45 +0100
Subject: [Mailman-Developers] ANNOUNCE: GNU Mailman 3.0a2 (Grand	Designs)
In-Reply-To: <C7BEDADD-9308-4E2C-B291-0FDCB5E81CA3@list.org>
References: <E7FD501A-F62B-442C-9FE6-0F6DF83F56A0@list.org>
	<20090118195945.GC26900@state-of-mind.de>
	<C7BEDADD-9308-4E2C-B291-0FDCB5E81CA3@list.org>
Message-ID: <20090119200845.GE8796@state-of-mind.de>

* Barry Warsaw <barry at list.org>:
> The megamerge branch was merged into lazr.config proper and release as  
> lazr.config 1.1. So you don't need this branch.  The bzr branch of mm3.0 
> is up-to-date now, but from the tarball, you should just skip this step 
> and edit buildout.cfg so that the "develop" line only contains a single 
> dot.
>
> Note that bin/test may break for you.  If it does, I have a workaround, 
> but I don't yet know if the problem is in buildout or mailman.

It worked, more or less:

  Ran 29 tests with 0 failures and 4 errors in 0.407 seconds.
Tearing down left over layers:
  Tear down zope.testing.testrunner.layer.UnitTests in 0.000 seconds.

Test-modules with import problems:
  eggs.lazr.config-1.1-py2.6.egg.lazr.config.tests
  eggs.lazr.delegates-1.0-py2.6.egg.lazr.delegates.tests
  eggs.zc.buildout-1.1.1-py2.6.egg.zc.buildout.tests
  eggs.zc.buildout-1.1.1-py2.6.egg.zc.buildout.testselectingpython
  eggs.zc.recipe.egg-1.1.0-py2.6.egg.zc.recipe.egg.tests
  eggs.zc.recipe.testrunner-1.1.0-py2.6.egg.zc.recipe.testrunner.tests
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.common.tests.test_idatetime
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.common.tests.test_import_interfaces
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.tests.test_adapter
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.tests.test_advice
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.tests.test_declarations
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.tests.test_document
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.tests.test_element
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.tests.test_interface
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.tests.test_odd_declarations
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.tests.test_sorting
  eggs.zope.interface-3.5.0-py2.6-linux-x86_64.egg.zope.interface.tests.test_verify
  eggs.zope.testing-3.7.1-py2.6.egg.zope.testing.tests
  eggs.zope.testing-3.7.1-py2.6.egg.zope.testing.testrunner.tests
Total: 94 tests, 0 failures, 4 errors in 11.174 seconds.


Proceed to create mailman.cfg or wait for workaround?

p at rick

-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563

From barry at python.org  Mon Jan 19 21:44:40 2009
From: barry at python.org (Barry Warsaw)
Date: Mon, 19 Jan 2009 15:44:40 -0500
Subject: [Mailman-Developers] ANNOUNCE: GNU Mailman 3.0a2 (Grand	Designs)
In-Reply-To: <20090119200845.GE8796@state-of-mind.de>
References: <E7FD501A-F62B-442C-9FE6-0F6DF83F56A0@list.org>
	<20090118195945.GC26900@state-of-mind.de>
	<C7BEDADD-9308-4E2C-B291-0FDCB5E81CA3@list.org>
	<20090119200845.GE8796@state-of-mind.de>
Message-ID: <687E798A-F2D3-49D0-B980-3ED6E987D604@python.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 19, 2009, at 3:08 PM, Patrick Ben Koetter wrote:

> * Barry Warsaw <barry at list.org>:
>> The megamerge branch was merged into lazr.config proper and release  
>> as
>> lazr.config 1.1. So you don't need this branch.  The bzr branch of  
>> mm3.0
>> is up-to-date now, but from the tarball, you should just skip this  
>> step
>> and edit buildout.cfg so that the "develop" line only contains a  
>> single
>> dot.
>>
>> Note that bin/test may break for you.  If it does, I have a  
>> workaround,
>> but I don't yet know if the problem is in buildout or mailman.
>
> It worked, more or less:
>
>  Ran 29 tests with 0 failures and 4 errors in 0.407 seconds.
> Tearing down left over layers:
>  Tear down zope.testing.testrunner.layer.UnitTests in 0.000 seconds.
>
> Test-modules with import problems:
>  eggs.lazr.config-1.1-py2.6.egg.lazr.config.tests
>  eggs.lazr.delegates-1.0-py2.6.egg.lazr.delegates.tests
>  eggs.zc.buildout-1.1.1-py2.6.egg.zc.buildout.tests
>  eggs.zc.buildout-1.1.1-py2.6.egg.zc.buildout.testselectingpython
>  eggs.zc.recipe.egg-1.1.0-py2.6.egg.zc.recipe.egg.tests
>  eggs.zc.recipe.testrunner-1.1.0-py2.6.egg.zc.recipe.testrunner.tests
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.common.tests.test_idatetime
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.common.tests.test_import_interfaces
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.tests.test_adapter
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.tests.test_advice
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.tests.test_declarations
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.tests.test_document
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.tests.test_element
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.tests.test_interface
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.tests.test_odd_declarations
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.tests.test_sorting
>  eggs.zope.interface-3.5.0-py2.6-linux- 
> x86_64.egg.zope.interface.tests.test_verify
>  eggs.zope.testing-3.7.1-py2.6.egg.zope.testing.tests
>  eggs.zope.testing-3.7.1-py2.6.egg.zope.testing.testrunner.tests
> Total: 94 tests, 0 failures, 4 errors in 11.174 seconds.
>
>
> Proceed to create mailman.cfg or wait for workaround?

That's the failure I get too.  It looks to me like zope.testing is  
putting some bogus eggs on sys.path.  I need to contact the distutils  
sig to find out what the problem is.

In the meantime, remove the buildout artifact directories (basically  
anything that 'bzr ignored' spits out), then add the following in your  
~/.buildout/default.cfg file (creating the directory if necessary):

[buildout]
eggs=directory=/home/you/.buildout/eggs
download-cache=/home/you/.buildout/download-cache

Then rebuild.  This basically just moves the eggs out of a location  
that seems to confuse testrunner.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQCVAwUBSXTmOHEjvBPtnXfVAQIQNAP/YSthTDsS8GisTwoq4xo1D5T0K+Gqxtxh
EjXuqcFDCEVYDzz65xPPq7BrjeEvUlQw8cy+PO6ECswd18+cY5IxN6Rh2B0o59ei
dY78bkVpMpluGvUctLLvlT8SezH7sLdHWCSbdJDbE5i3N9wBTzUpt5qc7a6JkM6V
luokXRTZX0A=
=jxsk
-----END PGP SIGNATURE-----

From barry at list.org  Sun Jan 25 19:11:21 2009
From: barry at list.org (Barry Warsaw)
Date: Sun, 25 Jan 2009 13:11:21 -0500
Subject: [Mailman-Developers] buildout problems solved
Message-ID: <080072FA-23E2-4C63-9178-9A7F67DD65D3@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks to help from the distutils sig, I believe I've solved the  
buildout problems that were discussed here a while back.  By moving  
the mailman source tree into an 'src' subdirectory, buildout now works  
regardless of whether you're sharing eggs via ~/.buildout/default.cfg  
or not.

Please give the current 3.0 bzr tree a try.  If you want me to cut a  
new release with the fixes I can do that too.

Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkl8q0kACgkQ2YZpQepbvXEPWgCeOU3YsBU8FmQc25dNpzP4Gm7r
3/EAn3n7yI6x/I3MgmYPB85qjeoBOsz+
=dQGr
-----END PGP SIGNATURE-----

From p at state-of-mind.de  Wed Jan 28 20:25:22 2009
From: p at state-of-mind.de (Patrick Ben Koetter)
Date: Wed, 28 Jan 2009 20:25:22 +0100
Subject: [Mailman-Developers] buildout problems solved
In-Reply-To: <080072FA-23E2-4C63-9178-9A7F67DD65D3@list.org>
References: <080072FA-23E2-4C63-9178-9A7F67DD65D3@list.org>
Message-ID: <20090128192521.GG13793@state-of-mind.de>

* Barry Warsaw <barry at list.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thanks to help from the distutils sig, I believe I've solved the  
> buildout problems that were discussed here a while back.  By moving the 
> mailman source tree into an 'src' subdirectory, buildout now works  
> regardless of whether you're sharing eggs via ~/.buildout/default.cfg or 
> not.
>
> Please give the current 3.0 bzr tree a try.  If you want me to cut a new 
> release with the fixes I can do that too.

Downloaded branch via bzr, built and ran test.

I am not sure what I should look for. Is that what you expect?

root at mailman:mailman# bin/test
Running mailman.testing.layers.SMTPLayer tests:
  Set up mailman.testing.layers.ConfigLayer in 0.942 seconds.
  Set up mailman.testing.layers.SMTPLayer in 0.003 seconds.
  Ran 65 tests with 0 failures and 0 errors in 9.587 seconds.
Running zope.testing.testrunner.layer.UnitTests tests:
  Tear down mailman.testing.layers.SMTPLayer in 0.002 seconds.
  Tear down mailman.testing.layers.ConfigLayer in 0.011 seconds.
  Set up zope.testing.testrunner.layer.UnitTests in 0.000 seconds.


Error in test test_passwords (mailman.tests.test_passwords.TestPBKDF2Passwords)
Traceback (most recent call last):
  File "/usr/local/lib/python2.6/unittest.py", line 279, in run
    testMethod()
  File "/root/mailman/src/mailman/tests/test_passwords.py", line 51, in test_passwords
    secret = passwords.make_secret(self.pw8a, self.scheme)
  File "/root/mailman/src/mailman/passwords.py", line 229, in make_secret
    secret = scheme_class.make_secret(password)
  File "/root/mailman/src/mailman/passwords.py", line 166, in make_secret
    digest = PBKDF2PasswordScheme._pbkdf2(password, salt, ITERATIONS)
  File "/root/mailman/src/mailman/passwords.py", line 149, in _pbkdf2
    T = U = array(b'l', prf.digest())
ValueError: string length not a multiple of item size



Error in test test_passwords_with_funky_chars (mailman.tests.test_passwords.TestPBKDF2Passwords)
Traceback (most recent call last):
  File "/usr/local/lib/python2.6/unittest.py", line 279, in run
    testMethod()
  File "/root/mailman/src/mailman/tests/test_passwords.py", line 58, in test_passwords_with_funky_chars
    secret = passwords.make_secret(self.pw8b, self.scheme)
  File "/root/mailman/src/mailman/passwords.py", line 229, in make_secret
    secret = scheme_class.make_secret(password)
  File "/root/mailman/src/mailman/passwords.py", line 166, in make_secret
    digest = PBKDF2PasswordScheme._pbkdf2(password, salt, ITERATIONS)
  File "/root/mailman/src/mailman/passwords.py", line 149, in _pbkdf2
    T = U = array(b'l', prf.digest())
ValueError: string length not a multiple of item size



Error in test test_unicode_passwords_with_funky_chars (mailman.tests.test_passwords.TestPBKDF2Passwords)
Traceback (most recent call last):
  File "/usr/local/lib/python2.6/unittest.py", line 279, in run
    testMethod()
  File "/root/mailman/src/mailman/tests/test_passwords.py", line 65, in test_unicode_passwords_with_funky_chars
    secret = passwords.make_secret(self.pwub, self.scheme)
  File "/root/mailman/src/mailman/passwords.py", line 229, in make_secret
    secret = scheme_class.make_secret(password)
  File "/root/mailman/src/mailman/passwords.py", line 166, in make_secret
    digest = PBKDF2PasswordScheme._pbkdf2(password, salt, ITERATIONS)
  File "/root/mailman/src/mailman/passwords.py", line 149, in _pbkdf2
    T = U = array(b'l', prf.digest())
ValueError: string length not a multiple of item size

  Ran 23 tests with 0 failures and 3 errors in 0.367 seconds.
Tearing down left over layers:
  Tear down zope.testing.testrunner.layer.UnitTests in 0.000 seconds.
Total: 88 tests, 0 failures, 3 errors in 11.057 seconds.



p at rick


-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20090128/2d608cfc/attachment.pgp>

From barry at list.org  Wed Jan 28 20:32:18 2009
From: barry at list.org (Barry Warsaw)
Date: Wed, 28 Jan 2009 14:32:18 -0500
Subject: [Mailman-Developers] buildout problems solved
In-Reply-To: <20090128192521.GG13793@state-of-mind.de>
References: <080072FA-23E2-4C63-9178-9A7F67DD65D3@list.org>
	<20090128192521.GG13793@state-of-mind.de>
Message-ID: <9DBF0DCE-E435-4096-A820-F480F3340E53@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 28, 2009, at 2:25 PM, Patrick Ben Koetter wrote:

> * Barry Warsaw <barry at list.org>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Thanks to help from the distutils sig, I believe I've solved the
>> buildout problems that were discussed here a while back.  By moving  
>> the
>> mailman source tree into an 'src' subdirectory, buildout now works
>> regardless of whether you're sharing eggs via ~/.buildout/ 
>> default.cfg or
>> not.
>>
>> Please give the current 3.0 bzr tree a try.  If you want me to cut  
>> a new
>> release with the fixes I can do that too.
>
> Downloaded branch via bzr, built and ran test.
>
> I am not sure what I should look for. Is that what you expect?
>
> root at mailman:mailman# bin/test
> Running mailman.testing.layers.SMTPLayer tests:
>  Set up mailman.testing.layers.ConfigLayer in 0.942 seconds.
>  Set up mailman.testing.layers.SMTPLayer in 0.003 seconds.
>  Ran 65 tests with 0 failures and 0 errors in 9.587 seconds.
> Running zope.testing.testrunner.layer.UnitTests tests:
>  Tear down mailman.testing.layers.SMTPLayer in 0.002 seconds.
>  Tear down mailman.testing.layers.ConfigLayer in 0.011 seconds.
>  Set up zope.testing.testrunner.layer.UnitTests in 0.000 seconds.
>
>
> Error in test test_passwords  
> (mailman.tests.test_passwords.TestPBKDF2Passwords)
> Traceback (most recent call last):
>  File "/usr/local/lib/python2.6/unittest.py", line 279, in run
>    testMethod()
>  File "/root/mailman/src/mailman/tests/test_passwords.py", line 51,  
> in test_passwords
>    secret = passwords.make_secret(self.pw8a, self.scheme)
>  File "/root/mailman/src/mailman/passwords.py", line 229, in  
> make_secret
>    secret = scheme_class.make_secret(password)
>  File "/root/mailman/src/mailman/passwords.py", line 166, in  
> make_secret
>    digest = PBKDF2PasswordScheme._pbkdf2(password, salt, ITERATIONS)
>  File "/root/mailman/src/mailman/passwords.py", line 149, in _pbkdf2
>    T = U = array(b'l', prf.digest())
> ValueError: string length not a multiple of item size
>
>
>
> Error in test test_passwords_with_funky_chars  
> (mailman.tests.test_passwords.TestPBKDF2Passwords)
> Traceback (most recent call last):
>  File "/usr/local/lib/python2.6/unittest.py", line 279, in run
>    testMethod()
>  File "/root/mailman/src/mailman/tests/test_passwords.py", line 58,  
> in test_passwords_with_funky_chars
>    secret = passwords.make_secret(self.pw8b, self.scheme)
>  File "/root/mailman/src/mailman/passwords.py", line 229, in  
> make_secret
>    secret = scheme_class.make_secret(password)
>  File "/root/mailman/src/mailman/passwords.py", line 166, in  
> make_secret
>    digest = PBKDF2PasswordScheme._pbkdf2(password, salt, ITERATIONS)
>  File "/root/mailman/src/mailman/passwords.py", line 149, in _pbkdf2
>    T = U = array(b'l', prf.digest())
> ValueError: string length not a multiple of item size
>
>
>
> Error in test test_unicode_passwords_with_funky_chars  
> (mailman.tests.test_passwords.TestPBKDF2Passwords)
> Traceback (most recent call last):
>  File "/usr/local/lib/python2.6/unittest.py", line 279, in run
>    testMethod()
>  File "/root/mailman/src/mailman/tests/test_passwords.py", line 65,  
> in test_unicode_passwords_with_funky_chars
>    secret = passwords.make_secret(self.pwub, self.scheme)
>  File "/root/mailman/src/mailman/passwords.py", line 229, in  
> make_secret
>    secret = scheme_class.make_secret(password)
>  File "/root/mailman/src/mailman/passwords.py", line 166, in  
> make_secret
>    digest = PBKDF2PasswordScheme._pbkdf2(password, salt, ITERATIONS)
>  File "/root/mailman/src/mailman/passwords.py", line 149, in _pbkdf2
>    T = U = array(b'l', prf.digest())
> ValueError: string length not a multiple of item size
>
>  Ran 23 tests with 0 failures and 3 errors in 0.367 seconds.
> Tearing down left over layers:
>  Tear down zope.testing.testrunner.layer.UnitTests in 0.000 seconds.
> Total: 88 tests, 0 failures, 3 errors in 11.057 seconds.

Nope.  I expect no failures!  Can you tell me something about the  
system you're running these tests on?

Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkmAssIACgkQ2YZpQepbvXHmKACgtCs6GO5a/kmfeR4E0HHQSKny
KA4AoLukla53h4YsnZITTEjLGoiotqbX
=LjSY
-----END PGP SIGNATURE-----

From p at state-of-mind.de  Wed Jan 28 20:43:28 2009
From: p at state-of-mind.de (Patrick Ben Koetter)
Date: Wed, 28 Jan 2009 20:43:28 +0100
Subject: [Mailman-Developers] buildout problems solved
In-Reply-To: <9DBF0DCE-E435-4096-A820-F480F3340E53@list.org>
References: <080072FA-23E2-4C63-9178-9A7F67DD65D3@list.org>
	<20090128192521.GG13793@state-of-mind.de>
	<9DBF0DCE-E435-4096-A820-F480F3340E53@list.org>
Message-ID: <20090128194328.GA15214@state-of-mind.de>

* Barry Warsaw <barry at list.org>:
>> Downloaded branch via bzr, built and ran test.
>>
>> I am not sure what I should look for. Is that what you expect?
>>
>> root at mailman:mailman# bin/test
>> Running mailman.testing.layers.SMTPLayer tests:
>>  Set up mailman.testing.layers.ConfigLayer in 0.942 seconds.
>>  Set up mailman.testing.layers.SMTPLayer in 0.003 seconds.
>>  Ran 65 tests with 0 failures and 0 errors in 9.587 seconds.
>> Running zope.testing.testrunner.layer.UnitTests tests:
>>  Tear down mailman.testing.layers.SMTPLayer in 0.002 seconds.
>>  Tear down mailman.testing.layers.ConfigLayer in 0.011 seconds.
>>  Set up zope.testing.testrunner.layer.UnitTests in 0.000 seconds.
>>
>>
>> Error in test test_passwords  
>> (mailman.tests.test_passwords.TestPBKDF2Passwords)
>> Traceback (most recent call last):
>>  File "/usr/local/lib/python2.6/unittest.py", line 279, in run
>>    testMethod()
>>  File "/root/mailman/src/mailman/tests/test_passwords.py", line 51, in 
>> test_passwords
>>    secret = passwords.make_secret(self.pw8a, self.scheme)
>>  File "/root/mailman/src/mailman/passwords.py", line 229, in  
>> make_secret
>>    secret = scheme_class.make_secret(password)
>>  File "/root/mailman/src/mailman/passwords.py", line 166, in  
>> make_secret
>>    digest = PBKDF2PasswordScheme._pbkdf2(password, salt, ITERATIONS)
>>  File "/root/mailman/src/mailman/passwords.py", line 149, in _pbkdf2
>>    T = U = array(b'l', prf.digest())
>> ValueError: string length not a multiple of item size
>>
>>
>>
>> Error in test test_passwords_with_funky_chars  
>> (mailman.tests.test_passwords.TestPBKDF2Passwords)
>> Traceback (most recent call last):
>>  File "/usr/local/lib/python2.6/unittest.py", line 279, in run
>>    testMethod()
>>  File "/root/mailman/src/mailman/tests/test_passwords.py", line 58, in 
>> test_passwords_with_funky_chars
>>    secret = passwords.make_secret(self.pw8b, self.scheme)
>>  File "/root/mailman/src/mailman/passwords.py", line 229, in  
>> make_secret
>>    secret = scheme_class.make_secret(password)
>>  File "/root/mailman/src/mailman/passwords.py", line 166, in  
>> make_secret
>>    digest = PBKDF2PasswordScheme._pbkdf2(password, salt, ITERATIONS)
>>  File "/root/mailman/src/mailman/passwords.py", line 149, in _pbkdf2
>>    T = U = array(b'l', prf.digest())
>> ValueError: string length not a multiple of item size
>>
>>
>>
>> Error in test test_unicode_passwords_with_funky_chars  
>> (mailman.tests.test_passwords.TestPBKDF2Passwords)
>> Traceback (most recent call last):
>>  File "/usr/local/lib/python2.6/unittest.py", line 279, in run
>>    testMethod()
>>  File "/root/mailman/src/mailman/tests/test_passwords.py", line 65, in 
>> test_unicode_passwords_with_funky_chars
>>    secret = passwords.make_secret(self.pwub, self.scheme)
>>  File "/root/mailman/src/mailman/passwords.py", line 229, in  
>> make_secret
>>    secret = scheme_class.make_secret(password)
>>  File "/root/mailman/src/mailman/passwords.py", line 166, in  
>> make_secret
>>    digest = PBKDF2PasswordScheme._pbkdf2(password, salt, ITERATIONS)
>>  File "/root/mailman/src/mailman/passwords.py", line 149, in _pbkdf2
>>    T = U = array(b'l', prf.digest())
>> ValueError: string length not a multiple of item size
>>
>>  Ran 23 tests with 0 failures and 3 errors in 0.367 seconds.
>> Tearing down left over layers:
>>  Tear down zope.testing.testrunner.layer.UnitTests in 0.000 seconds.
>> Total: 88 tests, 0 failures, 3 errors in 11.057 seconds.
>
> Nope.  I expect no failures!  Can you tell me something about the system 
> you're running these tests on?

It's a XEN guest on an Intel machine.

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.2"

Python 2.6 has been built like this:

# apt-get build-dep python2.5
# download and unpack, cd ...
# ./configure
# make
# make test
...
325 tests OK.
1 test failed:
    test_httpservers
35 tests skipped:
    test_aepack test_al test_applesingle test_bsddb185 test_bsddb3
    test_cd test_cl test_codecmaps_cn test_codecmaps_hk
    test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_curses
    test_dl test_gl test_imageop test_imgfile test_kqueue
    test_linuxaudiodev test_macos test_macostools test_normalization
    test_ossaudiodev test_pep277 test_py3kwarn test_scriptpackages
    test_socketserver test_startfile test_sunaudiodev test_timeout
    test_urllib2net test_urllibnet test_winreg test_winsound
    test_zipfile64
Those skips are all expected on linux2.
# make install
# python
Python 2.6.1 (r261:67515, Jan 17 2009, 23:49:39)
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>

Then I did:

# bzr branch lp:mailman
# cd mailman
# python bootstrap.py
# bin/buildout
# bin/test

That's it.

p at rick

-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20090128/b99969cb/attachment.pgp>

From barry at list.org  Thu Jan 29 02:43:20 2009
From: barry at list.org (Barry Warsaw)
Date: Wed, 28 Jan 2009 20:43:20 -0500
Subject: [Mailman-Developers] buildout problems solved
In-Reply-To: <20090128194328.GA15214@state-of-mind.de>
References: <080072FA-23E2-4C63-9178-9A7F67DD65D3@list.org>
	<20090128192521.GG13793@state-of-mind.de>
	<9DBF0DCE-E435-4096-A820-F480F3340E53@list.org>
	<20090128194328.GA15214@state-of-mind.de>
Message-ID: <CB911700-7786-4801-B801-B6FAF6AACAA1@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 28, 2009, at 2:43 PM, Patrick Ben Koetter wrote:

> It's a XEN guest on an Intel machine.
>
> $ cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=8.04
> DISTRIB_CODENAME=hardy
> DISTRIB_DESCRIPTION="Ubuntu 8.04.2"

Let me guess, is it a 64-bit machine?

Please run this:

% python2.6 -c 'import array; print array.array("l").itemsize'

What does this print?

How about this:

python2.6 -c 'import array; print array.array("L").itemsize'

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkmBCbkACgkQ2YZpQepbvXG2QQCgqjuqDaw16SMj2o5vUD5PG1J9
AjEAnAu+ZCEFWHWpD6acf+UYYAPOInc+
=b3+M
-----END PGP SIGNATURE-----

From p at state-of-mind.de  Thu Jan 29 07:29:12 2009
From: p at state-of-mind.de (Patrick Ben Koetter)
Date: Thu, 29 Jan 2009 07:29:12 +0100
Subject: [Mailman-Developers] buildout problems solved
In-Reply-To: <CB911700-7786-4801-B801-B6FAF6AACAA1@list.org>
References: <080072FA-23E2-4C63-9178-9A7F67DD65D3@list.org>
	<20090128192521.GG13793@state-of-mind.de>
	<9DBF0DCE-E435-4096-A820-F480F3340E53@list.org>
	<20090128194328.GA15214@state-of-mind.de>
	<CB911700-7786-4801-B801-B6FAF6AACAA1@list.org>
Message-ID: <20090129062912.GA27146@state-of-mind.de>

* Barry Warsaw <barry at list.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Jan 28, 2009, at 2:43 PM, Patrick Ben Koetter wrote:
>
>> It's a XEN guest on an Intel machine.
>>
>> $ cat /etc/lsb-release
>> DISTRIB_ID=Ubuntu
>> DISTRIB_RELEASE=8.04
>> DISTRIB_CODENAME=hardy
>> DISTRIB_DESCRIPTION="Ubuntu 8.04.2"
>
> Let me guess, is it a 64-bit machine?

Correct. Did I miss something?

> Please run this:
>
> % python2.6 -c 'import array; print array.array("l").itemsize'

p at mailman:~$ python2.6 -c 'import array; print array.array("l").itemsize'
8


> What does this print?
>
> How about this:
>
> python2.6 -c 'import array; print array.array("L").itemsize'

p at mailman:~$ python2.6 -c 'import array; print array.array("L").itemsize'
8


p at rick

-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20090129/940dbb2b/attachment.pgp>

From barry at list.org  Thu Jan 29 14:44:33 2009
From: barry at list.org (Barry Warsaw)
Date: Thu, 29 Jan 2009 08:44:33 -0500
Subject: [Mailman-Developers] buildout problems solved
In-Reply-To: <20090129062912.GA27146@state-of-mind.de>
References: <080072FA-23E2-4C63-9178-9A7F67DD65D3@list.org>
	<20090128192521.GG13793@state-of-mind.de>
	<9DBF0DCE-E435-4096-A820-F480F3340E53@list.org>
	<20090128194328.GA15214@state-of-mind.de>
	<CB911700-7786-4801-B801-B6FAF6AACAA1@list.org>
	<20090129062912.GA27146@state-of-mind.de>
Message-ID: <E1BA567A-37F7-413D-B7D9-A05A08C0184B@list.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 29, 2009, at 1:29 AM, Patrick Ben Koetter wrote:

> * Barry Warsaw <barry at list.org>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On Jan 28, 2009, at 2:43 PM, Patrick Ben Koetter wrote:
>>
>>> It's a XEN guest on an Intel machine.
>>>
>>> $ cat /etc/lsb-release
>>> DISTRIB_ID=Ubuntu
>>> DISTRIB_RELEASE=8.04
>>> DISTRIB_CODENAME=hardy
>>> DISTRIB_DESCRIPTION="Ubuntu 8.04.2"
>>
>> Let me guess, is it a 64-bit machine?
>
> Correct. Did I miss something?

Nope, I did.  It's a bug, but I only have 32 bit machines available to  
me.  Still, I'll try to work up a fix. Stay tuned.

In the meantime, this should not be a show stopper bug for you.  Just  
ignore these failures and have at it!

Thanks,
Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkmBssEACgkQ2YZpQepbvXEwTgCbBP/TbiNtHpX78VNd+KNmTF/g
X9gAnAkNTOp/8TEDZ8ggR0BoZLo1Y4DI
=TeHT
-----END PGP SIGNATURE-----