From barry at list.org  Wed Sep  1 17:59:08 2010
From: barry at list.org (Barry Warsaw)
Date: Wed, 1 Sep 2010 11:59:08 -0400
Subject: [Mailman-Developers] REST server status and MM3.0alpha6 soon
Message-ID: <20100901115908.7fb8e2e3@mission>

Just a heads up that I've *finally* managed to wrestle restish, webob, and cgi
to the ground and hack in PATCH support for the Mailman 3 REST server.  It's a
kludge but it works.  This was one of the last things I needed to do before I
could release 3.0alpha6, so look for that in the next day or so.

How goes the new web ui work?

-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20100901/04f426fd/attachment.pgp>

From f at state-of-mind.de  Wed Sep  1 20:41:29 2010
From: f at state-of-mind.de (Florian Fuchs)
Date: Wed, 1 Sep 2010 20:41:29 +0200
Subject: [Mailman-Developers] REST server status and MM3.0alpha6 soon
In-Reply-To: <20100901115908.7fb8e2e3@mission>
References: <20100901115908.7fb8e2e3@mission>
Message-ID: <A3A44B10-EF97-4565-9965-4B4152E172CB@state-of-mind.de>

> Just a heads up that I've *finally* managed to wrestle restish, webob, and cgi
> to the ground and hack in PATCH support for the Mailman 3 REST server.  
Yeah! :-)

> How goes the new web ui work?
Anna Granudd has implemented all items from her gsoc project and she plans to continue working on the UI until it's finished (which is great!). 
A lot of the things the UI can do still use mock data, but it sounds like some of that can be changed now that PATCH is supported by the API...
(If you're interested in how it's been done: There's a copy of the client libary in the django app folder, along with a mockdata.py file which holds decorators so the original client methods remain mainly untouched: http://bazaar.launchpad.net/~mailmanweb-django/+junk/dev/files)

Next steps:

- implement Claudia Fleiner's navigation, improve the general layout/css
- remove the mock decorators and implement the real REST calls in the client lib as well as the django app

@Barry: There's still a pending review/merge request concerning the client library on launchpad. I don't know if it makes sense to do the review now (since PATCH is ready but has not yet been added to the lib). But maybe you can have a quick look to see if it's generally going the right way...?

Cheers
Florian



From mark at msapiro.net  Sun Sep  5 02:59:21 2010
From: mark at msapiro.net (Mark Sapiro)
Date: Sat, 04 Sep 2010 17:59:21 -0700
Subject: [Mailman-Developers] Mailman security patch.
Message-ID: <4C82EB69.9000506@msapiro.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I plan to release a Mailman 2.1.14 candidate release towards the end of
next week (Sept 9 or 10). This release will have enhanced XSS defenses
addressing two recently discovered vulnerabilities. Since release of the
code will potentially expose the vulnerabilities, I plan to publish a
patch against the 2.1.13 base with the fix before actually releasing the
2.1.14 candidate.

I will post the patch to the same 4 lists that this post is being sent
to in the early afternoon, GMT, on September 9.

The vulnerabilities are obscure and can only be exploited by a list
owner, but if you are concerned about them you can plan to install the
patch.

The patch is small (34 line diff), only affects two modules and doesn't
require a Mailman restart to be effective, although I would recommend a
restart as soon as convenient after applying the patch.

- -- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFMgutpVVuXXpU7hpMRAsX1AJ48C0RxSpV7r9lg3J0V7OTs44ISqgCgn1wX
LZ5RkuGLo0r04eDNYOBDYpo=
=gscN
-----END PGP SIGNATURE-----

From mark at msapiro.net  Thu Sep  9 15:46:16 2010
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 09 Sep 2010 06:46:16 -0700
Subject: [Mailman-Developers] [Mailman-Announce] Mailman security patch.
In-Reply-To: <4C82EB69.9000506@msapiro.net>
References: <4C82EB69.9000506@msapiro.net>
Message-ID: <4C88E528.9050405@msapiro.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/4/2010 5:59 PM, Mark Sapiro wrote:
> I plan to release a Mailman 2.1.14 candidate release towards the end of
> next week (Sept 9 or 10). This release will have enhanced XSS defenses
> addressing two recently discovered vulnerabilities. Since release of the
> code will potentially expose the vulnerabilities, I plan to publish a
> patch against the 2.1.13 base with the fix before actually releasing the
> 2.1.14 candidate.
> 
> I will post the patch to the same 4 lists that this post is being sent
> to in the early afternoon, GMT, on September 9.
> 
> The vulnerabilities are obscure and can only be exploited by a list
> owner, but if you are concerned about them you can plan to install the
> patch.


The patch is attached. Since it only affects the web CGIs, it can be
applied and will be effective without restarting Mailman, although since
it includes a patch to Utils.py which is imported by the qrunners, a
restart of Mailman is advisable as soon as convenient after applying the
patch.

- -- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFMiOUnVVuXXpU7hpMRAkWlAJoCqVN2gSlNummYeDfq+BHcVfSKhACg5qrJ
7Idyd0aET0xWy11P6njxT3w=
=9uxx
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: xss.patch.txt
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20100909/c9d893e6/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xss.patch.txt.sig
Type: application/octet-stream
Size: 65 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20100909/c9d893e6/attachment.obj>

From barry at list.org  Thu Sep  9 16:41:22 2010
From: barry at list.org (Barry Warsaw)
Date: Thu, 9 Sep 2010 10:41:22 -0400
Subject: [Mailman-Developers] [Mailman-Announce] Mailman security patch.
In-Reply-To: <4C88E528.9050405@msapiro.net>
References: <4C82EB69.9000506@msapiro.net>
	<4C88E528.9050405@msapiro.net>
Message-ID: <20100909104122.544829c5@mission>

On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote:

>The patch is attached. Since it only affects the web CGIs, it can be
>applied and will be effective without restarting Mailman, although
>since it includes a patch to Utils.py which is imported by the
>qrunners, a restart of Mailman is advisable as soon as convenient
>after applying the patch.

Thanks Mark!
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20100909/91eb8be3/attachment.pgp>

From mark at msapiro.net  Thu Sep  9 23:43:15 2010
From: mark at msapiro.net (Mark Sapiro)
Date: Thu, 09 Sep 2010 14:43:15 -0700
Subject: [Mailman-Developers] Mailman 2.1.14rc1 released.
Message-ID: <4C8954F3.1090305@msapiro.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am happy to announce the first release candidate for the 2.1.14
release of the 2.1 stable maintenance branch of GNU Mailman.

Mailman 2.1.14rc1 is mainly a bug fix release, but it contains one
security fix as previously announced at
<http://mail.python.org/pipermail/mailman-announce/2010-September/000151.html>
and one new feature.

This new feature controls the addition/replacement of the Sender:
header in outgoing mail. This allows a list owner to set
include_sender_header on the list's General Options page in the
admin GUI. The default for this setting is Yes which preserves the prior
behavior of removing any pre-existing Sender: and setting it to the
list's -bounces address. Setting this to No stops Mailman from adding or
modifying the Sender: at all.

Additionally, there is a new Defaults.py/mm_cfg.py setting
ALLOW_SENDER_OVERRIDES which defaults to Yes but which can be set to No
to remove the include_sender_header setting from General Options, and
thus preserve the prior behavior completely.

Python 2.4 is the minimum supported, but Python 2.5.or 2.6 is recommended.

See the changelog at <https://launchpad.net/mailman/2.1/2.1.14rc1> for
more details.

Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.

For more information, please see:

http://www.list.org
http://www.gnu.org/software/mailman

Mailman 2.1.14rc1 can be downloaded from

https://launchpad.net/mailman/2.1/
http://ftp.gnu.org/gnu/mailman/


- -- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFMiVTzVVuXXpU7hpMRAoOBAJ9toQK+LGWfIW0GQ3bwGd7oQlDUJACfe+8a
wyxtS0VdLRJfjicrVGewmyA=
=uGQl
-----END PGP SIGNATURE-----

From jimpop at gmail.com  Fri Sep 10 01:06:10 2010
From: jimpop at gmail.com (Jim Popovitch)
Date: Thu, 9 Sep 2010 19:06:10 -0400
Subject: [Mailman-Developers] [Mailman-Announce] Mailman security patch.
In-Reply-To: <20100909104122.544829c5@mission>
References: <4C82EB69.9000506@msapiro.net> <4C88E528.9050405@msapiro.net>
	<20100909104122.544829c5@mission>
Message-ID: <AANLkTikEJ3DBfF+3ZecpdnRmVRJGgS-LG+-OLeETZkxz@mail.gmail.com>

Mark,

I just wanted to send a Thank You for the way this security patch was
handled.  The heads-up email was perfect and very much appreciated.

Thank you also, to yourself, Barry, and ALL the Mailman Developers,
for the high quality of work that goes into Mailman.

-Jim P.

On Thu, Sep 9, 2010 at 10:41, Barry Warsaw <barry at list.org> wrote:
> On Sep 09, 2010, at 06:46 AM, Mark Sapiro wrote:
>
>>The patch is attached. Since it only affects the web CGIs, it can be
>>applied and will be effective without restarting Mailman, although
>>since it includes a patch to Utils.py which is imported by the
>>qrunners, a restart of Mailman is advisable as soon as convenient
>>after applying the patch.
>
> Thanks Mark!
> -Barry
>
> _______________________________________________
> Mailman-announce mailing list
> Mailman-announce at python.org
> http://mail.python.org/mailman/listinfo/mailman-announce
> Member address: jimpop at gmail.com
> Unsubscribe: http://mail.python.org/mailman/options/mailman-announce/jimpop%40gmail.com
>
>

From mark at msapiro.net  Mon Sep 20 21:32:39 2010
From: mark at msapiro.net (Mark Sapiro)
Date: Mon, 20 Sep 2010 12:32:39 -0700
Subject: [Mailman-Developers] Mailman 2.1.14 released.
Message-ID: <4C97B6D7.8040904@msapiro.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am happy to announce the final release of GNU Mailman 2.1.14.

Mailman 2.1.14 is mainly a bug fix release, but it contains one
security fix as previously announced at
<http://mail.python.org/pipermail/mailman-announce/2010-September/000151.html>
and one new feature.

It differs from the previously released 2.1.14rc1 only in wording
clarifications and typo corrections in a few messages.

This new feature controls the addition/replacement of the Sender:
header in outgoing mail. This allows a list owner to set
include_sender_header on the list's General Options page in the
admin GUI. The default for this setting is Yes which preserves the prior
behavior of removing any pre-existing Sender: and setting it to the
list's -bounces address. Setting this to No stops Mailman from adding or
modifying the Sender: at all.

Additionally, there is a new Defaults.py/mm_cfg.py setting
ALLOW_SENDER_OVERRIDES which defaults to Yes but which can be set to No
to remove the include_sender_header setting from General Options, and
thus preserve the prior behavior completely.

Python 2.4 is the minimum supported, but Python 2.5.or 2.6 is recommended.

See the changelog at <https://launchpad.net/mailman/2.1/2.1.14> for
more details.

Mailman is free software for managing email mailing lists and
e-newsletters. Mailman is used for all the python.org and
SourceForge.net mailing lists, as well as at hundreds of other sites.

For more information, please see:

http://www.list.org
http://www.gnu.org/software/mailman

Mailman 2.1.14 can be downloaded from

https://launchpad.net/mailman/2.1/
http://ftp.gnu.org/gnu/mailman/

- -- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFMl7bXVVuXXpU7hpMRAtKyAJ4hnS08i71tx9nx1iG9wkGI9FalggCgqjnF
3CvTQeW7TOY76+u/KBNBGuM=
=we0d
-----END PGP SIGNATURE-----

From barry at list.org  Tue Sep 21 00:24:22 2010
From: barry at list.org (Barry Warsaw)
Date: Mon, 20 Sep 2010 18:24:22 -0400
Subject: [Mailman-Developers] RELEASED: Mailman 3.0 alpha 6
Message-ID: <20100920182422.7d88704f@mission>

I happy (and somewhat relieved :) to announce the release of the sixth alpha
for Mailman 3.0.  There is much new coolness that you will want to explore.

The biggest change is that the administrative REST API has been greatly
improved and is now reasonably well fleshed out.  You can create and delete
domains and mailing lists, subscribe and unsubscribe members, and reconfigure
your mailing lists through the REST API.  The documentation has specific
examples of how to do it.  This means that you can actually start to try to
integrate Mailman with your web sites.

The big push between now and the first beta will be to complete the import of
Mailman 2.1 data, and integrate it with the UI work done by Anna and Florian
for the GSoC.

The tarball can be downloaded from Launchpad or the Cheeseshop:

    https://edge.launchpad.net/mailman
    http://pypi.python.org/pypi/mailman/3.0.0a6

The full documentation is also available online:

    http://packages.python.org/mailman/docs/README.html

See below for the changes since alpha 5.  Please note that Mailman 3 is not
yet ready for production, although we'd love it if you test it and provide
feedback!

Enjoy,
-Barry

3.0 alpha 6 -- "Cut to the Chase"
=================================
(2010-09-20)

Commands
--------
 * The functionality of 'bin/list_members' has been moved to
   'bin/mailman members'.
 * 'bin/mailman info' -v/--verbose output displays the file system
   layout paths Mailman is currently configured to use.

Configuration
-------------
 * You can now configure the paths Mailman uses for queue files, lock files,
   data files, etc. via the configuration file.  Define a file system 'layout'
   and then select that layout in the [mailman] section.  Default layouts
   include 'local' for putting everything in /var/tmp/mailman, 'dev' for local
   development, and 'fhs' for Filesystem Hierarchy Standard 2.3 (LP #490144).
 * Queue file directories now live in $var_dir/queues.

REST
----
 * lazr.restful has been replaced by restish as the REST publishing technology
   used by Mailman.
 * New REST API for getting all the members of a roster for a specific mailing
   list.
 * New REST API for getting and setting a mailing list's configuration.  GET
   and PUT are supported to retrieve the current configuration, and set all
   the list's writable attributes in one request.  PATCH is supported to
   partially update a mailing list's configuration.  Individual options can be
   set and retrieved by using subpaths.
 * Subscribing an already subscribed member via REST now returns a 409 HTTP
   error.  LP: #552917
 * Fixed a bug when deleting a list via the REST API.  LP: #601899

Architecture
------------
 * X-BeenThere header is removed.
 * Mailman no longer touches the Sender or Errors-To headers.
 * Chain actions can now fire Zope events in their _process()
   implementations.
 * Environment variable $MAILMAN_VAR_DIR can be used to control the var/
   directory for Mailman's runtime files.  New environment variable
   $MAILMAN_UNDER_MASTER_CONTROL is used instead of the qrunner's --subproc/-s
   option.

Miscellaneous
-------------
 * Allow X-Approved and X-Approve headers, equivalent to Approved and
   Approve. LP: #557750
 * Various test failure fixes.  LP: #543618, LP: #544477
 * List-Post header is retained in MIME digest messages.  LP: #526143
 * Importing from a Mailman 2.1.x list is partially supported.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20100920/77df8ef5/attachment.pgp>

From hostmaster at uuism.net  Sat Sep 25 21:41:36 2010
From: hostmaster at uuism.net (UUN Hostmaster)
Date: Sat, 25 Sep 2010 14:41:36 -0500
Subject: [Mailman-Developers] zc.buildout.buildout error message with
	installing mailman-3.0.0a6
Message-ID: <A71E746902C149C8B8B11605679EBADC@ROMEO>

When I try to install mailman-3.0.0a6, I receive the following error
message:
 
[root at host mailman-3.0.0a6]# python2.6 bootstrap.py
Downloading
http://pypi.python.org/packages/2.6/s/setuptools/setuptools-0.6c11-py2.6.egg
[root at host mailman-3.0.0a6]# ./bin/buildout
Traceback (most recent call last):
  File "./bin/buildout", line 17, in <module>
    import zc.buildout.buildout
ImportError: No module named zc.buildout.buildout

Where do I obtain the module zc.buildout.buildout?
 
Thanks.
 
Jim
-----
Jim Hermann <hostmaster at UUism.net>
UUism Networks <http://www.UUism.net <http://www.uuism.net/> >
Ministering to the Needs of Online UUs
Web Hosting, Email Services, Mailing Lists
-----

 

From barry at list.org  Mon Sep 27 14:34:39 2010
From: barry at list.org (Barry Warsaw)
Date: Mon, 27 Sep 2010 08:34:39 -0400
Subject: [Mailman-Developers] zc.buildout.buildout error message with
 installing mailman-3.0.0a6
In-Reply-To: <A71E746902C149C8B8B11605679EBADC@ROMEO>
References: <A71E746902C149C8B8B11605679EBADC@ROMEO>
Message-ID: <20100927083439.325d28f8@mission>

On Sep 25, 2010, at 02:41 PM, UUN Hostmaster wrote:

>When I try to install mailman-3.0.0a6, I receive the following error
>message:
> 
>[root at host mailman-3.0.0a6]# python2.6 bootstrap.py
>Downloading
>http://pypi.python.org/packages/2.6/s/setuptools/setuptools-0.6c11-py2.6.egg
>[root at host mailman-3.0.0a6]# ./bin/buildout
>Traceback (most recent call last):
>  File "./bin/buildout", line 17, in <module>
>    import zc.buildout.buildout
>ImportError: No module named zc.buildout.buildout
>
>Where do I obtain the module zc.buildout.buildout?

You shouldn't need to get it from anywhere, iiuc.  There should be a
zc.buildout in your eggs directory.  It looks like bootstrap did not run
completely for you.  Here's what I get on a fresh 3.0 tree of bzr tip:

% python bootstrap.py
Downloading http://pypi.python.org/packages/2.6/s/setuptools/setuptools-0.6c11-py2.6.egg
Creating directory '/home/barry/projects/mailman/3.0/bin'.
Creating directory '/home/barry/projects/mailman/3.0/parts'.
Creating directory '/home/barry/projects/mailman/3.0/eggs'.
Creating directory '/home/barry/projects/mailman/3.0/develop-eggs'.
Getting distribution for 'setuptools'.
Got setuptools 0.6c12dev-r84273.
Generated script '/home/barry/projects/mailman/3.0/bin/buildout'.
% ls eggs
setuptools-0.6c12dev_r84273-py2.6.egg/	zc.buildout-1.5.1-py2.6.egg/
% ls bin
buildout*


What OS are you on and where did your python2.6 come from?

-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20100927/23be9445/attachment.pgp>