I'm all for the password-less stuff, but then how do you authenticate for members-only archives? I've got big lists that must be members-only for the archives.
Bob
---------- Original Message ----------- From: Tokio Kikuchi <tkikuchi@is.kochi-u.ac.jp> To: John Dennis <jdennis@redhat.com> Cc: mailman-developers@python.org, Barry Warsaw <barry@python.org> Sent: Fri, 11 Feb 2005 09:29:58 +0900 Subject: Re: [Mailman-Developers] Hashing member passwords in config.pck
Hi,
John Dennis wrote:
My suggestion would be:
- As soon as possible post MM 2.1.6 with the security patch.
+1
- Quickly follow up with MM 2.1.7 with the member passwords hashed.
I would suggest 'mailman 2.2' and introduce password-less membership. Most of the user operations should be done by confirmation string sent by email message. Users can optionally have their passwords which should be stored in hashed format.
Other 2.2 features I imagine are:
- Languages are selectable at configure option.
- Internal strings are unified to unicode to reduce type checking.
- Utf-8 web pages for
At the same time I think we should implement the stronger password generation suggested in this open advisory against mailman.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-1143
This has been integrated in 2.1.6 CVS.
-- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/
Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com ------- End of Original Message -------