Mailman 3 March 2017 - Mailman-Developers

before next release: disable backscatter in default installation
by Jo Rhett 07 Nov '22

07 Nov '22

Hi. There's a fairly simple problem here that needs to be addressed. And it's mostly a documentation/install problem. I'm hoping we can get this resolved before the next release. PROBLEM: Mailman comes out of the box ready to backscatter spam people. Yes, it's easy enough to fix. But because it comes stock this way, and is documented to install this way, most people install it to do this. Those of us who work in abuse departments are tired of hearing "well that's how Mailman works". We also object to having to teach people how to fix their mailman installations because it's not documented in the current manual. This is *exactly* like Sendmail 14 years ago. We didn't accept it then, and Sendmail fixed the problem. RESOLUTION: Mailman default installation should not backscatter in a default configuration. 1. Don't create backscatter aliases for subscribe/unsubscribe/etc by default. Nearly everyone uses web based signup. 2. Discard or hold messages from non-subscribers by default. I would think that it would be perfectly reasonable to have documentation on how to enable the 1980s-style -request / -subscribe etc aliases. However this documentation should have a note that this is against the AUP of nearly every network provider, and enabling it will likely cause them to get listed in various blacklists as a backscatter source. FYI: I know that this goes against the instincts of many old-time mailing list advocates here. But after dealing with a 10k/hour backscatter DoS my tolerance for this problem is understandably limited. Yes, it was a sweet day back in the 1980s. I was running a mailing list server and several UUCP gateways at the time, so I remember them well. But those days are past, and we need to deal with the reality of today. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness

21 168

Discourse Integration
by Stephen J. Turnbull 25 Jul '17

25 Jul '17

Vaibhav Lohani writes: > There was a mention of integrating mailman 3 with discourse some > times back. I am interested in working on it. Is someone else > interested in it or already working on it ? I don't know of anyone who is currently working on it, nor do we have specific plans at the moment. What sort of integration do you have in mind? Steve

2 1

Encrypted lists predictable difficulties and implementation needs
by J.B. Nicholson 19 Apr '17

19 Apr '17

Bhavishya Desai wrote: > Now I would like to know(specifically) what are some other threats,which > could effect this and any difficulties with implementation. I imagine that the encryption and/or hash algorithms will change over time as encryption is broken and people figure out ways to create hash collisions. Therefore I'd imagine keys will change over time. I'm guessing this carries some consequences: - the list key will change over time, therefore: - old subscribers need to be alerted to the new list key. - MUAs need to be able to make use of the current list key (perhaps the list accepts posts under the old key for a limited time to give subscribers a chance to switch to using the new key). - subscribers' keys will change over time, therefore: - there needs to be an easy way for a subscriber to get the list to accept posts under the subscriber's new key. - list archives raise interesting questions: - if the goal is to never let a list post travel unencrypted, I guess the list archives will be encrypted too? - each archive post will be signed+encrypted with the current list key. Therefore each archive message will be decrypted and re-encrypted at each list key change? - yes: this implies a bigger and bigger decryption/re-encryption job at each list key change as a list archive grows. Presumably this task will become computationally intensive at some point, possibly beyond the scale of being done at all for very large mailing lists carrying large list posts. - no: each archive post will be untouched after sending. Therefore archives will feature a set of list posts signed+encrypted with whatever list key was current at the time that post was sent out. - thus old list public keys must be kept around and published forever so archive readers can decrypt/verify signatures of archived posts? - yes: this carries some questions about GPG policy (below). - no: how will this work? - GPG policy issues: the above raises questions about GPG: - will GPG keep old encryption algorithms and hash algorithms around (perhaps warning not to use them for new keys, and only using them for decryption as needed)? - or users going to need to retain old versions of GPG to handle verifying archive list posts old encrypted & signed with list keys (I don't see this working out well)? It's possible there is something fundamental about this entire process I do not understand and therefore I've completely missed something about this process which led me down a path I should not have gone down. If that's the case, please do let me know where I went wrong. Thanks.

9 27

How to set up mailman 3
by Stephen J. Turnbull 30 Mar '17

30 Mar '17

On [MM3-users] Mark Sapiro writes: > On 03/25/2017 04:55 PM, Mark Sapiro wrote: > > > > A list's message_size can't currently be set in Postorius. File an issue > > at <https://gitlab.com/mailman/postorius/issues/new>. > > Actually the attribute name is max_message_size, not message_size. > > It exists in core and can be set, e.g., from the command line via > 'mailman shell', but it needs to be exposed in Postorius. Would it be possible to automate this? I haven't thought carefully about it, specifically security issues. However, there could (in theory) be an automated export of "all parameters" in "expert mode" or "site/list initialization mode". Steve

3 7

Mailman 3 deployment / packages available
by Fabian A. Santiago 29 Mar '17

29 Mar '17

Here to ask again, I haven't really been following the progress on mm3; is there such a thing yet as a yum repo with packages to deploy mailman 3 on a readily configurable, stable, production ready system? Deploying old mailman is pretty easy by comparison, in my mind, but I'm no pro either; just a hobbyist. -- Thanks. Fabian S.

1 0

Re: [Mailman-Developers] Encrypted lists predictable difficulties and implementation needs
by Rich Kulawiec 27 Mar '17

27 Mar '17

On Fri, Mar 17, 2017 at 09:54:48AM +1100, Morgan Reed wrote: > I'd submit that this is tantamount to saying "it's impossible to make a > 100% secure system so why bother even trying". Then you're not grasping my point. Let me try again. I suggest that you re-read what I've written *and* consider as well the disclosures of the past week vis-a-vis smartphones and their encrypted communications applications. In particular, note that entities like Whisper and Signal have been, as I've said for years, peddling snake-oil. They cannot possibly deliver on their promises *even if they do everything they say they can do* because all of it is immediately and completely undercut if the underlying system is compromised. Which is exactly what the disclosures of Vault 7 show everyone, although it's not really news to anyone who's been paying attention. Intelligence agencies, vulnerability brokers, organized cybercrime, and others have been knocking themselves out to hack everything for years -- and whaddaya know, they've succeeded. This set of disclosures is merely the latest, and it and all the other ones to date are merely the tip of the iceberg. So what I am saying, and what I hope is obvious, is that you cannot build a secure system on top of an insecure one. This isn't about not being able to build a 100% secure system: as a long-time security professional, I'm fully aware that's impossible and that the best we can do is to stack the deck in our favor. This is about building a system that is known 0% secure from the start. I think, in the end, this will serve the community poorly -- because people who don't grasp the contemporary security landscape will deploy it, will rely on it, and will not understand that they lost the game before they even started to play it. This will have consequences. ---rsk

4 4

GSoC Help Wanted
by Stephen J. Turnbull 27 Mar '17

27 Mar '17

Muhammad Rizvi writes: > I want to let you that I want to take part in Python Organization but don’t > exactly know what to do. The thing that I came to know so far is that, > first I have to find a mentor but don’t know from where I can contact a > mentor, secondly I have to submit a proposal but what proposal should I > give? In a little more detail than what Terri wrote: First, get signed up on the Google site at https://summerofcode.withgoogle.com/. Become familiar with the guide for students, there is a lot of help there. Sign up for the students' mailing list, and read it every day to see what kinds of things people talk about. Some kinds of help will be much more available there (more on that below). Next, go to the PSF GSoC page at http://python-gsoc.github.io. As the PSF is an "umbrella" organization, it does not actually provide any mentoring itself, it handles financial matters and Google relations for over a dozen suborganizations. Browse the suborganizations, and find one or more whose project is interesting. Then check the individual "Ideas" pages for each project for lists of tasks that may interest you, and write one or more proposals to implement the ideas. (I believe that GSoC allows you to submit up to five applications, spread across 1 to 5 organizations. In terms of return for effort, I recommend two or three.) You should submit something as early as possible. You will be allowed to revise and improve your proposal up until the submission deadline. As a new student to GSoC, you should focus on organizations that give you feedback promptly (a day or two). Some put more effort into that than others, so you will need to balance the intrisic interest in the project against the help you get improving your proposals. Sign up for the developers' lists for the projects you are interested in. *Browse their archives for the last month or two* to see how the members tend to interact with each other. Normally you should lurk for at least that long before speaking up, but you're up against the submission deadline so reading the recent threads is a reasonable substitute. Some organizations have specific lists for GSoC project discussion, but most do it on their developer lists. When you have made a complete first draft, and after major revisions, you may request review where the mentors are likely to see it. Expect it to take at least a couple of days, the best mentors are generally busy people. Of course if it takes longer than that, you won't get very many chances to revise. So you'll have to find an appropriate balance for yourself between prompt responses and more detailed reviews and more interesting projects. Be very careful about email protocol. Some organizations strongly prefer that discussions of projects be kept on the mailing lists, so that all applicants can benefit, and so that other mentors and developers on the project can participate in the conversation. In many cases, private mail to mentors is frowned on. Figure out how the project you're interested in handles communications before going private. Be careful to check that the mailing list is among the addressees of mail that you send. You may need to use "reply to all", depending on the list configuration. PSF organizations generally require that student applicants submit contributions to the organization during the application period, so you should also find those organizations' issue trackers and look for "easy" tasks you can work on right away. (The point of the requirement is more to ensure that you don't waste time during the project period becoming familiar with infrastructure like repositories and trackers, not very much to prove your coding ability.) Be aware that you're already late to the party. Almost all organizations prefer to award internships to students who have already been productive in their projects for months (and for some applicants, years). Remember that mentors are unpaid volunteers; the attraction to mentors is working with motivated and productive junior developers who make major contributions to their projects. We appreciate your interest and that you are inexperienced with GSoC, but realistically the more you do for yourself and the less handholding you need, the better your chances are. It's worth the effort on your part. Many of the students you are competing with will treat the GSoC application as a fulltime job. As much as possible, investigate the process yourself, or on the students' mailing list. When asking questions of prospective mentors, do your homework and make them as clear and specific as possible. Again, this is a question of balance. If it's something you can do for yourself, an hour of your time may be a worthwhile trade to save 5 minutes for a prospective mentor. If it's something only the mentor can answer, you have to ask, of course. And don't worry about screwing up by asking; getting the right balance is something you only learn with experience. Just keep your antenna out and learn what excites the mentors and what drags them down as you go along. Good luck! Steve

1 0

Re: [Mailman-Developers] GSoC Help Wanted
by Terri Oda 27 Mar '17

27 Mar '17

On 2017-03-24 2:55 AM, Muhammad Rizvi wrote: > I want to let you that I want to take part in Python Organization but don’t > exactly know what to do. The thing that I came to know so far is that, > first I have to find a mentor but don’t know from where I can contact a > mentor, secondly I have to submit a proposal but what proposal should I > give? You've actually done it! Posting to the public mailing list for a Python sub-org is exactly how you contact a mentor. This year, Mailman's only running one project, the encrypted lists one, and the primary person for that is Stephen, but in general we prefer if students ask questions in public so that the community and other students get the benefits of answers. :) Stephen's given some pretty precise instructions on what he wants in a proposal on the mailman ideas page, and as I said we're only planning one project this year so it needs to be related to encrypted lists unless you can get someone excited enough about another idea that you have that they're willing to offer to be a primary mentor for that. Anything other than encrypted lists will be a hard sell this year, though, since most of us need the time off for regular mailman development or other projects! Terri

1 0

GSoC Help Wanted
by Muhammad Rizvi 24 Mar '17

24 Mar '17

Hello! I want to let you that I want to take part in Python Organization but don’t exactly know what to do. The thing that I came to know so far is that, first I have to find a mentor but don’t know from where I can contact a mentor, secondly I have to submit a proposal but what proposal should I give? Please, help me out as I am much curious to take part in GSoC and I don’t want to lose this opportunity. Best, Muhammad Hasan

1 0

GSoC Help Wanted
by Muhammad Rizvi 23 Mar '17

23 Mar '17

Hello! I want to let you that I want to take part in Python Organization but don’t exactly know what to do. The thing that I came to know so far is that, first I have to find a mentor but don’t know from where I can contact a mentor, secondly I have to submit a proposal but what proposal should I give? Please, help me out as I am much curious to take part in GSoC and I don’t want to lose this opportunity. Best, Muhammad Hasan

1 0