[Mailman-Users] any info on this reported exploit?

[Jim Popovitch]

Stephen J. Turnbull wrote:
> 
> 5.  Security patches are asynchronous, like earthquakes, they happen
>  when they happen.

Very bad analogy.  Hurricanes would be better.  There is plenty of
potential for user-base warning before a patch is to be released.

> If the patch comes out on Friday at 4:45, I would cancel that dinner 
> date with my daughter.  Wouldn't you?  What difference would notice 
> on Tuesday that a patch is expected sometime on Friday make to that 
> decision, anyway?

Your daughter would presumably rather know on Tuesday that her Friday
dinner with dad is canceled.  That way she could make other plans, etc. 
  Change "daughter" to "wife" and ask yourself how long your wife would 
remain if you kept canceling Friday dinner at the last minute.  Now look 
at it from a business standpoint and try and convince my customers that 
they should expect their service to be down at any point in time to do 
unplanned system upgrades.

> In sum, I just don't see what benefit there is to the process you 
> outline relative to current policy.  The information doesn't make 
> anyone more secure

No one is advocating that more info means more security.  More info just
means that users aren't the only ones in the dark.  If the hack is out
and the developers are working on it, who is left to inform... THE USERS
OF THE PRODUCT.  Why leave us in the dark?

> (unless they're willing to shut down their systems from announcement
> that "we're worried" until a workaround or fix is available)

That is an option that I reserve the right to make the decision on. 
Don't remove my capability to make that decision by hiding the info.

> communication with users will slow production of the fix but won't
> reduce the variance on when it gets released, and it's a 
> non-negligible burden on the developers.

I don't believe that one bit, certainly not in the scenario that I 
described.

-Jim P.