-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SAC,
I'll make a motion to turn off the reminders in a separate mail.
The argumentation is in this mail (ignore in case you don't want to
bother).
Thanks for bringing this up. I have been using mailman for so long
that I do not see these things anymore. Unfortunately it is a broader
issue, I'll try to expand here.
New people will potentially use their "secure" password trusting that
we deal with it in a secure manner. Which we (or rather mailman)
obviously don't! Therefore we can obviously not continue proceeding as
we did so far. More inline.
On 12/01/2012 07:38 PM, Alex Mandel wrote:
On 12/01/2012 11:27 AM, Eli Adam wrote:
On Sat, Dec 1, 2012 at 11:14 AM, Alex Mandel
<tech_dev@wildintellect.com>wrote:
I have not seen such a request before. I will note that the
behavior is the same for every mailman list I'm subscribed to
on the web. I don't think mailing list preference passwords are
typically considered secure.
That said, it's not a bad idea to research options to make it
more secure.
Quick search says, we should simply disable the monthly
reminders. Supposedly updates to mailman years ago should have
moved to hashed passwords and not auto-mailing them, but I
don't see any evidence that those patches were ever released.
It may be good policy to universally disable this.
Right now the user already has complete control and can make
their own decisions.
Copied from logging into an OSGeo list:
*Get password reminder email for this list?*
Once a month, you will get an email containing a password
reminder for every list at this host to which you are subscribed.
You can turn this off on a per-list basis by selecting *No* for
this option. If you turn off password reminders for all the lists
you are subscribed to, no reminder email will be sent to you. No
Yes
*Set globally*
Is this thread about universally establishing good policy for all
users or helping 1 user change their settings to how they like
them?
Eli
Universal good policy. Users seem to expect the default to be that
a password is somewhat secure (even if its not true or they are
told it isn't so).
The very concept of "password" is security. Therefore in my opinion we
cannot just say that we don't deal with it in secure ways. We know
that people do not bother to read terms-of-service or any other
fineprint (http://tos-dr.info)
Note I have not seen a way to do this for all lists at once, might
need to be done 1 list at a time. I have also failed to find where
to set it to store encrypted passwords.
To do this properly our system would have to send a one time token in
a link to our website and ask the user to interactively change the
password. Any sending around of passwords via mail is a no-go.
Yes, users can opt out of the reminders themselves, I have my
doubts users will ever find/see that.
Correct. But even if people turn it off we would still not have a safe
way of resetting user passwords because we should not have it in
unencrypted form anywhere on our system anyway.
I'll note password notification can be requested from the list page
at any time by any user who needs it, so disabling the reminders
loses no functionality.
Yes, but we are still not secure at all when we send it unencrypted
via email.
Some have noted that mailman for regular users shouldn't even
bother with passwords as everything could be done via email
verification (things sent to the email address).
This is probably the only right way of doing it. What implications
will this have on our Spam issues? We do need to have a certain
barrier of entry making sure that humans with some intention can get
into a mailing list, even if only to prevent automated spam.
What do we lose? A monthly reminder that this list exists and that you
are subscribed to it. Is that something we cannot afford to miss?
Any mailman admins up for trying to change the settings? Perhaps
changing the default value for new list creation too?
I support deactivating reminders. Lets see if anybody else has
something to say that we might have forgotten. If not I suggest to
switch this setting off maybe in a week, if necessary I will go through
We can't be the only ones with this problem?!
Cheers,
Arnulf
Thanks, Alex _______________________________________________ Sac
mailing list Sac@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/sac
- --
Seven of Nine
http://arnulf.us/Seven
Exploring Body, Space and Mind
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlC7UBEACgkQXmFKW+BJ1b38nQCfY3w3smo3H4IN7zvZsSlGZ+Tp
5CAAmgLgV4Er3ZsvxGrroVFX++J1Bo/5
=Ppc3
-----END PGP SIGNATURE-----