-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Those of you who have been watching the commit messages can see I've
been making some good progress. I'm actually hoping to have a
Mailman 3.0 alpha some time RSN which will almost allow you to run
the system from the command line, but without a web u/i.
So one of the things I'm looking at is the MM2.1 concept of an
Approved header. If a message comes into a list with an Approved
header (or an Approved line at the start of the message body), and
that header has a password that matches the list admin or moderator
password, the message is pre-approved and short-circuits the posting
The concept doesn't translate well in a Mailman 3 world where there
is no shared admin or moderator password. Web access will be control
via roles and protected by user authentication much like any modern
So the question is, what do we do about the Approved header?
- We can drop the concept altogether. This means there'd be no way
to post a message as coming from an approved source, with a bypass of
the posting filters. Maybe because few people have MUAs that support
adding custom headers, this feature just isn't used much in the real
world these days. You'd still have the moderation bit for announce- only lists though.
- Replace the concept with some other email authentication
mechanism, e.g. something more secure like a signature check. The
problem with this is that I still don't think message signing is
common practice outside our small community of geeks.
- Allow an owner or moderator to use their own password in the
Approved header. I'm not crazy about this because it has to be sent
in the clear and if (when?) it gets compromised, their account is
compromised, and this includes their administration of the mailing list.
- Add a new shared password just for this purpose. You'd still have
to communicate it to all your moderators, probably via the web page,
but at least this password wouldn't have any other purpose so if
(when?) it gets compromised, the only asset it protects is approved
postings. Bad yes, if a spammer gets it, but easily changed and
hopefully fairly limited in the damage it can do.
- Your suggestion.
Comments? I think my preference would be for #1 with future support
for #2 and just accepting the fact that message signatures are for
power users. Maybe that set is pretty close to the set of people
currently using Approved anyway.