Great Circle Associates Majordomo-Workers
(June 2000)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: [Debian] Majordomo will be removed (fwd)
From: "Skahan, Vince" <Vince . Skahan @ PSS . Boeing . com>
Date: Sun, 4 Jun 2000 20:18:55 -0700
To: "'Brock Rozen'" <brozen @ torah . org>
Cc: "'majordomo-workers @ greatcircle . com'" <majordomo-workers @ greatcircle . com>


Lots of people trying a new release doesn't make it ready
for prime time.  Folks with problems with the previous version
don't make the new one ready for prime time.

I wouldn't call mj2 anything other than alpha until it's ready.
Is it ready ?  I hear lots of things that lead me to think not.

I've certainly seen no postings in mj-workers that lead me
to think mj2 is ready. I see nothing leading me to believe that
mj2 is entering a 'release mode' of development.  That's
fine, it's a total rewrite on volunteer labor. It'll happen when (if)
it happens.

Lets talk about the current 1.94 release, given that you
install it per for faq. Is there the slightest reason to say it's
not a safe program to run given that you do the following ?
 - run sendmail+smrsh of a current vintage
 - remove world read/write as indicated in the faq
 - force all access to domo through smrsh

Most of the unix world uses sendmail.
Debian recommends smail as their mail transport.
Mandrake uses postfix.
Other distributions probably use something else.

Can majordomo be installed safely under alternate
MTAs in its present configuration ?  Don't know. 
Also don't care at this time.

As far as anybody's said, mj-1.94 is safe given
some post-installation tightening as per the faq
if you run sendmail+smrsh.

If that's not true, please let everybody know.

Regardless, one distribution who uses an alternate
MTA complaining that the software doesn't work with
smail is 'not' a reason to jump the gun on mj2 until
it's ready for prime time.

I'd suggest the mj2 efforts enter a 'no more changes'
except bug fixes mode before anybody assumes that
a release is in the forseeable future.  From the minimal
postings to the mj-workers list, I haven't seen anything
like that even hinted.

Again, that's fine.  It's a volunteer effort.  But people
complaining about an alternate installation of mj-1.94
doesn't make mj2 any more or less ready for release.

-- 
-- Vince.Skahan@boeing.com  - -  - http://bcstec.ca.boeing.com/~vds/    --
The DoJ has determined that Linux has established and exploited a monopoly in the
nonproprietary UNIX market by means of predatory zero pricing and blatantly superior
implementation  - Stan Kelly-Bootle (Performance Computing - 9/98)

> ----------
> From: 	Brock Rozen[SMTP:brozen@torah.org]
> Sent: 	Saturday, June 03, 2000 10:25 PM
> To: 	Majordomo-Users Lists
> Cc: 	Chan Wilson; Mj2 Development Lists
> Subject: 	[Debian] Majordomo will be removed (fwd)
> 
> Needless to say -- this gives Majordomo a bad name.
> 
> IMHO, Mj2 should no longer be called 'alpha' and maybe get to the point of
> a general release (so many people are using it, so why not?)...
> 
> -- 
> Brock Rozen                                              brozen@torah.org
> 
> ---------- Forwarded message ----------
> Date: Sat, 3 Jun 2000 15:07:54 -0700
> From: Aleph One <aleph1@UNDERGROUND.ORG>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: [Debian] Majordomo will be removed
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> - ------------------------------------------------------------------------
> Debian Security Advisory                             security@debian.org
> http://www.debian.org/security/                         Wichert Akkerman
> June  3, 2000
> - ------------------------------------------------------------------------
> 
> 
> Package        : majordomo
> Problem type   : local exploit
> Debian-specific: no
> 
> The majordomo package as shipped in the non-free section accompanying
> Debian GNU/Linux 2.1/slink allows any local user to trick majordomo into
> executing arbitrary code or to create or write files as the majordomo user
> anywhere on the filesystem.
> 
> This is a documented issue and the advised work around it to either have
> no untrusted users on a system running majordomo or to use a setuid> 
> wrapper that the MTA delivery agent can run.
> suboptimal solution.
> 
> We feel that those options are not a good solution, but unfortunately the
> majordomo license does not allow us to fix these problems and distribute a
> fixed version. As a result we have decided to remove majordomo from our
> archives.
> 
> If you are using majordomo we recommend that you replace it with one
> of the many other mailing-list tools available such as fml, mailman
> or smartlist.
> 
> - --
> - ----------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable updates
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates
> Mailing list: debian-security-announce@lists.debian.org
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> 
> iQB1AwUBOTlZ/6jZR/ntlUftAQFQ6QL/XyB4EprpjY4D2eusMd9PR+UKKh0jI7Zi
> IMWf0Avik9wN6HWba64kODvePxKChnh7z2jvG3hz8CIZr6siYsTuFWtu2UkVhdZj
> THnYqB87Sqp7XIdO46R7qjnLU0KibPqQ
> =w/uo
> -----END PGP SIGNATURE-----
> 



Follow-Ups:
Indexed By Date Previous: Re: [Fwd: [Debian] Majordomo will be removed]
From: jmorace+mj@u.washington.edu
Next: Re: [Debian] Majordomo will be removed (fwd)
From: Jason L Tibbitts III <tibbs@math.uh.edu>
Indexed By Thread Previous: Re: [Debian] Majordomo will be removed (fwd)
From: Jason L Tibbitts III <tibbs@math.uh.edu>
Next: Re: [Debian] Majordomo will be removed (fwd)
From: root <thaths@netscape.com>

Google
 
Search Internet Search www.greatcircle.com