[Mailman-Users] any info on this reported exploit?
Brad Knowles
brad at stop.mail-abuse.org
Sat Jan 28 11:11:37 CET 2006
At 12:43 AM -0500 2006-01-28, Jim Popovitch wrote:
> No. What I am suggesting/recommending is this: If the developers know
> on Monday of some super secret issue, and presumably they won't have a
> robust fully-tested solution until Friday, I want them to tell me in
> no-detail to alert me to be prepared for a Friday emergency patch. How
> is that risky?
But on Monday, they may not know how long it will take them to
create a patch. It might turn out to be a simple matter that can be
fixed by Tuesday morning, or it might be complex and take weeks or
months.
But when they make that initial announcement, assuming no one
else has posted something to some other mailing list, they're
basically firing the starter's pistol for the blackhats to race to
locate the bug and start exploiting it before a patch can be issued.
I think they need to hold off a little while longer on making
that initial announcement, at least until they know enough about the
problem to have a good idea how long it's going to take to create the
patch, how widespread the problem is, what the overall risk is,
etc....
In the case of the most recent issue, Tokio apparently felt that
it was a reasonably low-risk item and he fixed the bug (along with a
number of other problems) during the normal release cycle. It wasn't
until others came along and decided to call this a potential DoS
attack that people like you started screaming.
> You mis-characterize (yet again?) what I am saying. I am not advocating
> for the developers to work more, or differently. I am only asking for a
> "heads up", not a last minute announcement.
I don't think a last minute announcement is a good idea, but then
I also don't think it's a good idea to run around like Chicken Little
screaming that the sky is falling every time something comes up and
before we've had enough time to look into the issue, gauge the
potential risk and how many people might be affected, and have a
decent idea of how long it's going to take to create a patch.
I think we need to compromise somewhere in the middle, and I
think we have to trust the Mailman developers to do that.
> My thoughts exactly. I trust them to do the work and produce a fix.
> Again, all I am advocating is that if they are spending 6 days on a fix,
> don't wait until the 7th day to fill us in. Let us know up front that
> they are working a possible fix that may need to be applied. Where's
> the harm in that?
In most cases, when you're developing a fix for some bug, you may
know that you've spent six days so far on the problem, but you may
not have much of an idea of how much longer it's going to take you.
If you make the seven day announcement one day into a problem
that actually takes you a month, explain to me how this is a good
thing?
> Again, you mis-understand my interests. I don't want info on the hack,
> I want a "heads-up" that <unidentified> fix is in the pipe and sysadmins
> can expect it late Friday (or whenever). Again, how is that so egregious?
And I think you misunderstand the development process. Many
times you don't know how long it's going to take you until you've
done it.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Mailman-Users
mailing list