Re: Duplicate List Messages [I guess there's a serious majordomo bug...]

[gtoal () an-teallach com (Graham Toal)]

: 1. the bugtraq list has a lot of hackers on it.
: : Posting a hole to it gives it a very wide distribution.

Erm... well... just think for a moment about why the list was
created in the first place.  It was the fact that it was specifically
created as a full-disclosure list in revolt against the CERT style, 
and suddenly I seemed to be seeing the same sort of behaviour...
it wasn't the details of this particular problem that annoyed me
but the apparent hypocrisy.

: and finally
: 4. the owner of the machine that bugtraq runs on hadn't patched the hole yet.

: I don't blame Scott for wanting to wait a few hours.  It'd be pretty

No, neither do I now that I know it _was_ just a few hours.  At the time
I posted that the bugtraq duplicate problem had been happening for almost
a day, so I inferred they'd known about it for a day, so the chances
were that if one day had gone by without comment, several more could
too.  As it turned out he got the patch out pretty quick and I was
probably wrong to sound as intemperate as I did.

However if he'd mentioned the problem earlier I could have told him
how to fix it because we recently fixed a similar problem (almost
identical in fact) on the pgp keyserver managers list.  This is a
generic problem with *any* perl (and a few other languages) program
that invokes commands like sendmail with user-supplied arguments
masquerading as reply addresses.  (And we were in a similar position
to the majordomo people, I guess, in that we have a mailing list; the
only difference I guess is that we *know* every single user of the
package is on the mailing list so there's definitely no need to publicise
the bug elsewhere before all the sites that had it were fixed)

The correct way to write such programs needs a bit more publicity
I suspect.  I'd knock up a 'how to' except that I'm really up to
my ankles in alligators at the moment and will be for the next month...

G