- Barry Warsaw <barry@list.org>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mar 20, 2009, at 6:22 PM, Patrick Ben Koetter wrote:
Here's the link to a wiki I've put up to get started:
Hi Patrick,
Do you think the Mailman wiki would be a better place for this?
Yes. It keeps everything in one place. I would have to work around the freemind mindmap flash fancy stuff though, which I've just fallen in love with. But let's not let this get in the way.
How do we do it? Do I get write access to Mailman wiki?
I will add more as I get to it. Comments, ideas, improvements are
welcome. The server part, for example, is completely empty at the moment...One thing we discussed at last year's sprint, is the model that the REST interface will have full admin access to Mailman's data model. I.e. it will by design be fully authenticated. The reason for this is that we'd like it to act as an API that other systems can use to integrate mailing list services into their systems. For example, if you had a web site running PHP that you wanted to use Mailman for your mailing lists, it could use this REST API to control and query Mailman.
We've thought about different client technologies too. That's the client technology part I wrote about in the wiki.
Which we didn't discuss was fully authenticated access for the REST server by design. If I understand this correctly than any party that is able to communicate with the REST server will have full admin access to Mailman's data model. In other words: It's upon any REST client to protect the REST server from abuse.
I feel a little uneasy not having the server control that itself unless we find a good way to control who may connect to the server or the server is able to identify valid clients by some client identity (ACL).
What this means though is that when you deploy Mailman's REST interface, you must take care to protect it. You wouldn't want to expose it to the internet for example. You'd want to make sure that its interface is accessibly on via your data center, or via localhost if you were running a turnkey standalone system.
I was thinking of TLS client/server authentication for open networks. Not that I have spent time yet to find out if Python (REST) tools provide such functionality - I am sure it does, but given my low Python experience, I'd rather verify...
Still, this provides great advantages, such as the ability for us to
ship a web interface as an add on, and for sites to easily swap out the web interface, or create their own ways of accessing and controlling Mailman without having to write Python code (which they can do in MM2 and will be able to do in MM3, though few sites apparently do this).
Same idea here.
p@rick
So while an account/login model is necessary (e.g. for the email
interface), it needn't be required for accessing the REST API.Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAknHnJYACgkQ2YZpQepbvXG61QCaAyejP3BWk8XuTVoPWUfgxwy1 0f8An1uI13rnc97QoLJg/gQTBvmU/WW7 =lnPY -----END PGP SIGNATURE-----
-- state of mind Agentur für Kommunikation, Design und Softwareentwicklung
Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666
Amtsgericht München Partnerschaftsregister PR 563