Re: Debian is secure, the debian lists are not.
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 6 Aug 1998, Hanno Wagner wrote:
> I don't really like the situation.
Neither do I, believe me.
Please, calm down and read.
> At the moment I am very upset to Santiago.
Sorry to hear that.
> He first made a bugreport about the
> unsubscription of himself. He is actually one of two
> persons where this happened afaik. On the contrary are
> ~8000 subscribers to 55 Lists where most of them don't
> have problems.
I will repeat: This is a measure of security for which (IMHO) we should
not wait for the first case to happen.
> Second: There was a bugreport, going to listmaster.
> Because this was a bug which is caused on smartlist (and
> other things), we closed the bug. Btw: Santiago is the
> smartlist-maintainer, so he is responsible.
Yes, I'm current smartlist maintainer, and smartlist was not originally
designed to be secure. But with the cookie patches, which are already
present in the debian listserver even before I added them to the Debian
package, it is. However, this will be useless if you, list maintainers
refuse to use the cookies. What you are asking to me, more or less, is
that I fix the insecure old behaviour when the cookies are much better.
This does not make sense to me.
> Anyway, we (Joey and me as listmasters) discussed this
> topic with Santiago. You can read the mails in the
> bugreport itself.
Yes, and neither you convinced me nor I conviced you. Saying "this has
been discussed" does not solve the issue. At least not for me.
> We closed the discussion with some kind of agreement -
> every side wanted to improve the situation.
Well, I didn't close the discussion.
Yes, to improve the situation I offered myself to maintain the two spanish
lists, but you didn't answered. I would consider a good thing to let the
lists to be maintained by several people (call it bazaar model, if you
like). Would you be in favour of this? (I assume that if I maintained
some lists, using cookies for that lists would be my choice).
> But now he
> started the discussion here - where it doesn't belong to.
It belongs here when there is a clear disagreement between a package
maintainer and the user of a package. This happens very often
and the only sensible way to solve the issue is to ask third parties
for their opinion, as I did.
> The first time I saw the subject I was just ready to give
> up. To stop being listmaster. If someone agrees to stop a
> discussion you should do that - and not transfer it to a
> place where it doesn't belong to. Why have you made that?
> Only for security reasons? Then fix smartlist. It is
> _your_ package we're running the list on.
I will repeat: The bug is already fixed: Just use the cookies for
unsubscriptions also.
> I will soon install the latest smartlist package. Maybe
> the bugs will be fixed in it.
Yes, as long as you respect the *defaults*, which is using cookies for
sub*** and unsub***, not only for subs****.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
iQCVAgUBNcmeMCqK7IlOjMLFAQEXggP9F+d1eNenWGuzw2Ti5jxvprvAxjiLVgn0
bGTs5eoWxcA/IgL1MdoLxTlLEF3+krnZNycb9x3L2ceXUwnWJPupTGcnmxo41bP8
zeh/orqg6gqr8OhPPvy4J/giqS291CZxKOXW/I4SUOAh2Cv38JANOgcQxOCYPU8G
86SWQgp80jE=
=JOG6
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: