To make Joel's words mine. Even, where the password is set by the server, there are only so many passwords a person can remember - and invariably if one signs up to multiple forums/ lists/ one tends to repeat the password. So having the password mailed back is an unnecessary exposure. All that is waiting to happen is for someone to develop code to sit waiting for the monthly list reminders from Mailman and others, capture the login details and access mailboxes.

Rui

  Rui Correia Advocacy, Media and Language Consultant 36 Finch St, Ontdekkers Park, Roodepoort, Johannesburg, South Africa Tel/ Fax (+27-11) 766-4336 Cell (+27) (0) 83-368-1214

-----Original Message----- From: mailman-developers-bounces+correia.rui=gmail.com@python.org [mailto:mailman-developers-bounces+correia.rui=gmail.com@python.org] On Behalf Of Joel Ebel Sent: 10 February 2005 17:45 To: mailman-developers@python.org Subject: Re: [Mailman-Developers] Hashing member passwords in config.pck

I can't speak to whether the work is worth the benefit, but I'm definitely in favor of the change. I've always questioned the benefit of having recoverable passwords. I feel like a password should be a one way thing. You put it in, and you can't get it back. If you forget it, you have to reset it. I think password reminders are unnecessary, and I don't really like having passwords in my email anyway. Perhaps a reminder of how to access your membership settings and reset your password would be a better option anyway.

Joel

Barry Warsaw wrote:

I think CAN-2005-0202 gives us the opportunity to finally implement what we have long considered an embarrassing exposure in Mailman's config.pck databases. Member passwords are kept in this database in the clear. The obvious fix is to hash member passwords and keep only the hash in the database.

We haven't changed this before now for two reasons:

1. We would have to regenerate all member passwords, which is an administrative burden. We might also need to implement checks to see if the passwords were cleartext or hashed and do the password comparison accordingly.

2. This breaks all password reminders.

To fully address CAN-2005-0202 we're recommending sites regenerate their member passwords anyway, so this gives us an opening to fix this properly. And we have a better internal password generator now too.

As for #2, well, I think most people hate those password reminders anyway, and we've decided that they are going away for MM3. I don't think many people would shed too many tears if we killed off monthly password reminders for 2.1.6. Doing that would also eliminate the requirement for the site list, since its primary purpose is to function as the sender of the reminder messages.

To do this for 2.1.6, we'd have to change the "Email My Password To Me" feature in the options page and in the member login page. These would have to become a "create a new password for me" feature. Also, crontab.in should not call mailpasswds anymore, or that script should turn into a simple "here's the lists you are on" reminder, without the password information in it. This will require i18n updates too.

The downside to doing this now is that it's more coding work for 2.1.6 and I'd like to get the new version out asap. Still, this seems like an opportunity that we shouldn't lightly dismiss.

What do you all think? Is anybody willing to take a crack at a patch for this?

-Barry

---

---

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/jbebel%40ncsu.edu

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/correia.rui%40gmai l.com

Hi

When I open http://mailman.greennet.org.uk/mailman/listinfo/plenary using Opera, the last block just above the 'subscribe' button gets spread out in one long string.

The result is that one can't see the 'subscribe' button.

Is this a Opera-only problem, or would this be happening with other browsers too?

Rui

  Rui Correia Advocacy, Media and Language Consultant 36 Finch St, Ontdekkers Park, Roodepoort, Johannesburg, South Africa Tel/ Fax (+27-11) 766-4336 Cell (+27) (0) 83-368-1214

On 2/11/2005 12:13, "Brad Knowles" brad@stop.mail-abuse.org wrote:

At 6:05 PM +0200 2005-02-11, correia.rui@gmail.com wrote:

...

When I open http://mailman.greennet.org.uk/mailman/listinfo/plenary using Opera, the last block just above the 'subscribe' button gets spread out in one long string.

The result is that one can't see the 'subscribe' button.

Is this a Opera-only problem, or would this be happening with other browsers too?

Using MacOS X 10.3.6, I see the same thing in Safari 1.2.4 (based on KHTML), Opera 7.51, and OmniWeb 5.0. Camino 0.8.2 (a Gecko-based browser from the Mozilla family, with a native Aqua user interface) and iCab 2.9.8 both seem to display the page with line-wrapping, which is presumably what you had intended.

I'm not sure what to tell you about this particular problem.

I suspect the horizontal long rows of checkboxes are the root of the problem.

This web page falls into my "if it's hard to use, forget about it" category, which would have kept me off the list even if I otherwise cared.

--John

It seems to me that the pulse of this list is to leave the situation as is, and not make the password hashing change for 2.1.6. This should allow us to release this version sooner, so I'm fine with that.

The reason I thought we'd have a good opportunity now is that one of the remediation steps for CAN-2005-0202 was to reset your passwords. I think it will be too much to ask admins to reset their passwords for 2.1.6 and then do it again for 2.1.7, so I'm against making this change until 2.2 or 3.0.

Thanks everyone. I may follow up on specific messages in this thread. -Barry

Ah - I had forgotten the ~mailman/bin/withlist script. Sorry, folks,
still just getting back into Mailman. If it works as advertised, then I
also vote for the changes Barry is recommending. It makes Mailman
completely compatible with the type of CMS integration I'm describing.
Joel's point about passwords being one-way "You put it in, and you
can't get it back" is perfectly true.

Cheers,

Tobias

On Feb 10, 2005, at 11:17 AM, Tobias Eigen wrote:

Hi Barry,

While you're on this subject, I was intrigued by the password
resetting script but was disappointed that there is no way to actually
configure the password on the command-line. I was thinking this would
enable integration of Mailman subscriptions into an existing user
database (i.e. via a nightly cron). If you use a commonly used
encryption, then doing this on the command line shouldn't pose any
security issues. On Kabissa this would be a key aspect to making
Mailman continue to work as our list manager of choice for e-mail
newsletters and discussions in our CMS of choice, Mambo Open Source.

Then again, if you're thinking of rewriting how passwords are kept,
perhaps it might be useful to think about using a different type of
container anyway, one that works with other, more sophisticated user
management systems like those that come with CMSs. I.e. LDAP or simply
mysql.

And this, plus the CAN prefix to the patch name, reminds me: correct
me if I'm wrong, but my understanding is that Mailman as it exists
does not comply with the new (unfortunately named) CAN SPAM act.
According to this act, a recipient of an email from a given site has
to be able to opt out from receiving ANY MAIL from that site. Right
now all mailman lists are treated completely separately, and nobody
(not even the subscriber) can easily find out which lists subscribers
are subscribed to. What I envision having in my Mailman/Mambo system
is a single user database with one password per username for all
services. Users can then go to a simple preferences page on Mambo and
do basic things like change their email address or password, tick a
box to opt in/out of various mailings, and in particular opt to
receive no mail at all. Other Mambo components would handle reading
forums and newsletters online and enable users to
subscribe/unsubscribe to them.

If anybody's got any suggestions on how to achieve this or is
interested in working with us to develop this functionality, let me
know.

Cheers,

Tobias

On Feb 10, 2005, at 10:02 AM, Barry Warsaw wrote:

...

I think CAN-2005-0202 gives us the opportunity to finally implement
what we have long considered an embarrassing exposure in Mailman's
config.pck databases. Member passwords are kept in this database in the clear. The obvious fix is to hash member passwords and keep only the hash in the database.

We haven't changed this before now for two reasons:

1. We would have to regenerate all member passwords, which is an administrative burden. We might also need to implement checks to see
   if the passwords were cleartext or hashed and do the password comparison accordingly.

2. This breaks all password reminders.

To fully address CAN-2005-0202 we're recommending sites regenerate
their member passwords anyway, so this gives us an opening to fix this properly. And we have a better internal password generator now too.

As for #2, well, I think most people hate those password reminders anyway, and we've decided that they are going away for MM3. I don't think many people would shed too many tears if we killed off monthly password reminders for 2.1.6. Doing that would also eliminate the requirement for the site list, since its primary purpose is to
function as the sender of the reminder messages.

To do this for 2.1.6, we'd have to change the "Email My Password To
Me" feature in the options page and in the member login page. These would have to become a "create a new password for me" feature. Also, crontab.in should not call mailpasswds anymore, or that script should turn into a simple "here's the lists you are on" reminder, without the password information in it. This will require i18n updates too.

The downside to doing this now is that it's more coding work for 2.1.6 and I'd like to get the new version out asap. Still, this seems like
an opportunity that we shouldn't lightly dismiss.

What do you all think? Is anybody willing to take a crack at a patch for this?

-Barry

---

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives:
http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/ tobias%40kabissa.org

Tobias Eigen Executive Director

Kabissa - Space for Change in Africa http://www.kabissa.org

• Kabissa's vision is for a socially, economically, politically, and
  environmentally vibrant Africa, supported by a strong network of
  effective civil society organizations. *

---

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives:
http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/ tobias%40kabissa.org

-- Tobias Eigen Executive Director

Kabissa - Space for Change in Africa http://www.kabissa.org

• Kabissa's vision is for a socially, economically, politically, and
  environmentally vibrant Africa, supported by a strong network of
  effective civil society organizations. *

On Feb 10, 2005, at 9:32 AM, John Dennis wrote:

My suggestion would be:

1. As soon as possible post MM 2.1.6 with the security patch.

2. Quickly follow up with MM 2.1.7 with the member passwords hashed. At

Then in the MM 3.0 time frame the entire mailman security framework should be revisited, there are many security issues that should be addressed.

+1

Other 2.2 features I imagine are:

• Languages are selectable at configure option.
• Internal strings are unified to unicode to reduce type checking.
• Utf-8 web pages for

• Uft-8 web pages for all languages.

Sorry for the incomplete post.

-- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/

...

I would suggest 'mailman 2.2' and introduce password-less membership. Most of the user operations should be done by confirmation string sent by email message. Users can optionally have their passwords which should be stored in hashed format.

This would be great.

I'm very into this idea of password-less membership too.

Cheers,

Tobias

-- Tobias Eigen Executive Director

Kabissa - Space for Change in Africa http://www.kabissa.org

• Kabissa's vision is for a socially, economically, politically, and environmentally vibrant Africa, supported by a strong network of effective civil society organizations. *

I'm all for the password-less stuff, but then how do you authenticate for members-only archives? I've got big lists that must be members-only for the archives.

Bob

---------- Original Message ----------- From: Tokio Kikuchi tkikuchi@is.kochi-u.ac.jp To: John Dennis jdennis@redhat.com Cc: mailman-developers@python.org, Barry Warsaw barry@python.org Sent: Fri, 11 Feb 2005 09:29:58 +0900 Subject: Re: [Mailman-Developers] Hashing member passwords in config.pck

Hi,

John Dennis wrote:

...

My suggestion would be:

1. As soon as possible post MM 2.1.6 with the security patch.

+1

...

2. Quickly follow up with MM 2.1.7 with the member passwords hashed.

I would suggest 'mailman 2.2' and introduce password-less membership. Most of the user operations should be done by confirmation string sent by email message. Users can optionally have their passwords which should be stored in hashed format.

Other 2.2 features I imagine are:

• Languages are selectable at configure option.
• Internal strings are unified to unicode to reduce type checking.
• Utf-8 web pages for

...

At the same time I think we should implement the stronger password generation suggested in this open advisory against mailman.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-1143

This has been integrated in 2.1.6 CVS.

-- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/

---

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com ------- End of Original Message -------

--On February 11, 2005 13:55:26 +0900 Tokio Kikuchi tkikuchi@is.kochi-u.ac.jp wrote:

Bob Puff wrote:

...

I'm all for the password-less stuff, but then how do you authenticate for members-only archives? I've got big lists that must be members-only for the archives.

...

...

Most of the user operations should be done by confirmation string sent by email message.

Operations include authentication.

So, to access the private archive I have to wait for an email message?

Hmm, there was some plan for LDAP integration for version 3.0, no?

What I'm hoping for is that people who subscribe to my lists with a sussex.ac.uk email address will be able to authenticate from our LDAP server. This avoids mailman having to store their passwords.

With support for a variety of external authentication mechanisms, Mailman can become a much more useful tool for Universities and large corporations.

-- Ian Eiloart Servers Team Sussex University ITS

Integrating with external user storages for authentication should help out a lot here, but I'm just not seeing how we can totally eliminate passwords. I'm willing to be convinced though.

Speaking of which. MM3 seems to be pretty stalled out.

Is there anything I/we can do to get the ball rolling again?

Darrell

On Thu, 2005-02-10 at 12:32, John Dennis wrote:

At the same time I think we should implement the stronger password generation suggested in this open advisory against mailman.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-1143

I believe this will need a little support in configure.in to detect and be able to utilize the presence of /dev/urandom with an appropriate fall back in its absence.

This is already in 2.1.6 CVS, and we do a run-time check, first for Python 2.4's os.urandom() and then for /dev/urandom. We fallback to the old scheme if neither of those can be found.

Then in the MM 3.0 time frame the entire mailman security framework should be revisited, there are many security issues that should be addressed. At a minimum the suggestion of supporting alternate authentication mechanisms (e.g. pam, ldap, kerberos, etc.) should be implemented. In my mind, this is too radical for a 2.1.x release. 3.0 is the right time debut a more configurable and robust security framework.

I agree completely, although we might be able to fit this into a 2.2 release if there is one.

-Barry

Hi Brad -

Sorry for sitting on this for so long - would like to respond to it though.. see below.

...

And this, plus the CAN prefix to the patch name, reminds me: correct me if I'm wrong, but my understanding is that Mailman as it exists does not comply with the new (unfortunately named) CAN SPAM act. According to this act, a recipient of an email from a given site has to be able to opt out from receiving ANY MAIL from that site. Right now all mailman lists are treated completely separately, and nobody (not even the subscriber) can easily find out which lists subscribers are subscribed to.

Actually, you can easily see which lists you're subscribed to. Go to the listinfo page for the mailing list in question, and log in using your e-mail address and password. There's a button that says "List my other subscriptions". Unfortunately, you can't unsubscribe from all of them with a single command, you will have to unsubscribe from each of them individually. But you can globally change all your passwords for all the lists you're subscribed to, change your e-mail address, and if you scroll down to the bottom of the list, you can change a number of other options, most of which can be applied globally.

However, this is only a on a per-address basis. If you have multiple different addresses subscribed to different lists, you will have to handle them each individually.

I know all this - and I know you know it, and I know all Mailman geeks like us get it. The problem is with regular, every day people who are expecting (and really can be expected to expect) Yahoogroups type interfaces. I'm sorry to say it, but Mailman's web interfaces are extremely daunting and confusing. It's really weird to have to log in multiple times to access multiple list settings, especially if it's the same password being used everywhere. It's likewise weird to then be able to make "global" changes from one list's preferences page. Has anybody considered having a usability expert look at the Mailman interfaces and redesign them so they make more sense from a user's point of view? How easy is it to customize these pages? Are they perchance templatable?

And we're only talking about the frontend (listinfo interface) here now, not even the backend (admin interface) for list owners. The backend is so incredibly complex and overwhelming that it has become a serious stumbling block for us in offering a service that people will actually use. For Kabissa these interfaces have to be as easy to use as Yahoo Groups or Google (has anyone tried Google's groups? They are quite nifty actually). We have people coming online from all over Africa who pay dearly for every precious minute they spend online.

...

What I envision having in my Mailman/Mambo system is a single user database with one password per username for all services. Users can then go to a simple preferences page on Mambo and do basic things like change their email address or password, tick a box to opt in/out of various mailings, and in particular opt to receive no mail at all.

You can pretty much do all of that today. Go to the listinfo page and log in with your e-mail address and password.

Perhaps, but you can't do it "easily".

Cheers,

Tobias

-- Tobias Eigen Executive Director

Kabissa - Space for Change in Africa http://www.kabissa.org

• Kabissa's vision is for a socially, economically, politically, and environmentally vibrant Africa, supported by a strong network of effective civil society organizations. *

All I can say is that Mailman is a non-profit open source project, run by a group of people in whatever spare time they can manage to scrape together.

The Linux folks haven't cracked the ease-of-use aspects of their OS compared to Microsoft, not even for the companies that are spending large quantities of money to try to make that happen. We're a much, much smaller group, and although this is also a smaller target, I don't see us being likely to succeed in this area where the Linux folks have not.

If someone wanted to pay large sums of money to make an open source Yahoo! Groups-beating package, and pay people to work on that as their full-time job, we might be able to change this situation -- in time.

Brad,

We've previously had conversations about some Yahoo groups functionality which you said wasn't possible:

http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.039.htp

Yesterday I contributed patches which enables Mailman to have this exact functionality which we borrowed from Yahoo Groups. Yet I've seen no response from you yet, and only one half dismissive response from another mailman developer.

Mailman CAN be as good - and better - than Yahoo Groups. It doesn't have to take lots of money and resources. Just being willing to accept our code a piece at a time, and encouraging those who contribute will go a long way towards getting there.

There may be some disagreement on the unsubscribe styff, but the header/footer handling only benefits everyone. I certainly hope that the mailman team will be responsive, and accept these patches and integrate them into the codebase. From my side we'll do whatever it takes to make that happen. Just tell us what we have to do.

Adrian

On Wed, 2005-02-16 at 11:13, JC Dill wrote:

Right now, I would suggest being patient. I suggest you give it a week for Barry and the other key developers to to find the time to start looking at new code after they dig out from their present schedule overload caused by the recent security incident.

Right now, I am focusing what spare time I have on getting 2.1.6 out the door. Tokio has been a lifesaver for this release, and I think he's primarily focused on the same thing. Once 2.1.6 is out, I would like to have a longer discussion on where we go next.

I don't know what Brad's key focus is on this list, but I can share with you that *I* am not a developer in that I don't write code. My role here is that I help in a product management type role, helping prioritize, helping define, helping with documentation (FAQ entries etc.), enter feature requests, etc. And I help with the day-to-day management of the mailman -users and -dev mailing lists so that the key developers can focus their time on code instead of running the lists.
Sometimes when we have list management related email threads it takes the key developers more than a week to chime in on something too....

Trust me, work like this is greatly appreciated. Just so everyone knows, you don't have to be writing code to help move the Mailman project out. JC, Brad, Chuq, Terri, and others have been an incredible help.

-Barry

On Feb 16, 2005, at 8:45 AM, Brad Knowles wrote:

I try to do all the little things I can, so that Barry and the core developers can focus their attention on the big things that I have no hope of ever being able to touch. For the most part, I try to follow the lead of people like Barry, Chuq, JC, and the others who have been here longer than I have.

It's been a crazy year for everyone on the mailman team -- I know Barry's done what he can, but in the end, he has to earn a paycheck and have a life, and Mailman simply can't be considered more important than either of those.

I've been the same way, working on a project that's gotten hugely popular at work and taken up a huge amount of time and energy -- 50 and 60 hour weeks have been common the last year as we try to not choke on success, and I've had other non-work complications sucking up time and energy. To give you an idea how bad it's been -- a server upgrade I'd planned for last March finally is happening, where last night I migrated my blog to a new environment. Having a project like that slip almost a year (and that was a REVISED date. sigh) is scary in a way, but it gives you an idea just how little my spare time and my energy to do things have coincided.

Once this server upgrade is complete, I'll be able to finally get started on a couple of projects I announced a couple of years ago and still want to see happen, along with getting more involved with Mailman again. The last few months, I sort of feel all I've accomplished is trying to shield Barry from having to deal with list logistics and the like, and the project needs more than that....

I think its safe to say that it's not lack of interest or intent here with any of us, but a lack of free time. And time, of course is one commodity you can't do much about some times.

"Adrian Bye" adrian@tasdevil.com writes:

Mailman CAN be as good - and better - than Yahoo Groups. It doesn't have to take lots of money and resources. Just being willing to accept our code a piece at a time, and encouraging those who contribute will go a long way towards getting there.

I agree. I'd love to see some real movement on Mailman, but it does seem a bit stalled. (Note the lack of response to my recent MM3 query).

Maybe open up the code to a few more commiters would help? But, I don't get the impression there's much interest in letting others have a crack at it.

I'd really like to see some serious discussion about the architecture of mailman3, so we can get coding.

Darrell

Adrian Bye wrote:

Yesterday I contributed patches which enables Mailman to have this exact functionality which we borrowed from Yahoo Groups. Yet I've seen no response from you yet, and only one half dismissive response from another mailman developer.

Since mine was to only reply to your post, I assume it is that to which you refer. I didn't intend to be "dismissive". I'm sorry it came across that way. In fact, I specifically wrote "I am not trying to denegrate the work you've done or your contribution back to the Mailman project. I think this is a fine example of how open source works."

While I did add "I'm only trying to point out that there can be a "dark side" to this feature.", I didn't intend that to mean that it shouldn't be an option for those who might want it.

Also, while I may be prolific on the Mailman-Users list, for the record I have no official connection to the Mailman project. I'm just another Mailman administrator with a lot of software experience and evidently, way too much time on his hands. I wouldn't describe myself as a mailman developer, just an interested party trying to learn and contribute back.

-- Mark Sapiro msapiro@value.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

On Thu, 2005-02-17 at 09:33, Tokio Kikuchi wrote:

I looked through your code and my feeling is not integrating this patch in 2.1.6.

We need to put a freeze on new features for 2.1.6. In fact, I think we should freeze all checkins except show-stopping bug fixes. I'd like to take between now and the end of February for testing.

I'll spin a beta4 today and upload it to SF. In the future, Tokio will also be able to do SF file releases (although unfortunately, he won't be able to update the web sites). I plan on installing the current 2.1.6 on my various sites and I hope others can do the same thing to help test 2.1.6 in order to get an end-of-February release.

-Barry

On Thu, 17 Feb 2005 12:15:44 -0500, Barry Warsaw barry@python.org wrote: [snip]

I plan on installing the current 2.1.6 on my various sites and I hope others can do the same thing to help test 2.1.6 in order to get an end-of-February release.

I'm willing to install the pending beta 4 if it's feature-frozen and there are no significant known bugs (unknown bugs are OK ;). The feature shift between betas has been a little disconcerting.

Bryan

On Thu, 2005-02-17 at 13:22, Adrian Bye wrote:

And, I just talked with my developer, and he got quite upset about the idea of fixing his code to conform to your coding style. So I guess that won't be possible for now. I certainly understand why you have coding guidelines, I agree they are important. I would have happily paid my developer to bring his code in line with your standards.

Sorry, but that's non-negotiable. I know that you understand, but for the record, I'm not just stroking my ego. Coding standards are critical for long term maintenance. Without a standard, the readability of the code goes to hell and code is read orders of magnitude more often than it's written. Adhering to the guidelines (hobgoblins notwithstanding) is our responsibility to those that come after us.

It's unfortunate that your developer can't adapt to the Mailman coding style. I work on tons of open source software, and of course lots of software at my job, and each project has its own coding guidelines. "When in Rome..." is the operative phrase here.

Hopefully someone else will adapt the code to the style guide.

-Barry

On Thu, 2005-02-17 at 14:54, Bob Puff@NLE wrote:

Perhaps I missed this thread, but what standards are there? Link to doc?

http://barry.warsaw.us/software/STYLEGUIDE.txt

-Barry

Dear friends,

I had *no idea* my post was going to generate this level of response. Thank you all. I'm simply fascinated by the dynamics in the group, inspired by your generosity, and eager to help out in any way I can. Let me make a few brief points, then forward another message I just sent to another list which is inspired by this discussion and by a number of other ongoing threads that seem to be coming together right now and make for what I think is a tremendous opportunity for those of us interested in this yahoogroups type functionality.

1. I am not a coder. I am very into open source software, though, and have been for a long time. I have installed many open source tools on the Kabissa server over the years which are used very actively by people in Africa working for nonprofits. This includes Mailman, phpbb, horde and more. I am able to hack around in existing scripts and follow instructions to do limited customization. I've had Mailman running on Kabissa for over four years now, and have many thousands of posts in list archives and tens of thousands of subscribers participating in lists hosted on Kabissa.

2. I am currently dedicated to taking all of these disparate tools that people are making great use of on Kabissa, and integrating them into a single community Web site so that they can use them better. I am therefore interested in Mambo CMS (http://www.mamboserver.com) and am eager to encourage any efforts that will enable me to take existing Kabissa services (like Mailman) and integrate them into Mambo components (existing or new).

3. This is the background to my post about making Mailman CAN-SPAM compliant. It helps to know that there are developers interested in addressing usability issues and also to have confirmed that there is a general understanding that Mailman can be improved.

4. As Brad mentioned, he is now volunteering at Kabissa on mailman administration.. which is great! With his involvement, there are some small contributions Kabissa can make as relates to helping others to make Mailman work well in a plesk/qmail setup like ours, and which I'd like to see incorporated in future versions of Plesk. However, I think Kabissa may be able to help more by drumming up interest in Mailman, by partnering with other likeminded organizations seeking the same functionality like Bellanet, and perhaps by raising funds to pay for the development of some key features that Kabissa needs particularly urgently.

Best wishes,

Tobias

On Feb 17, 2005, at 9:33 AM, Tokio Kikuchi wrote:

Hi,

Sorry I'm responding late. We had presentations of master theses and I had to look after 3 out of 8 students for qualification. Moreover, 2 students are Chinese and difficulty in expressing themselves in Japanese. (Like myself in English :-( )

Adrian Bye wrote:

...

http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq04.039.htp Yesterday I contributed patches which enables Mailman to have this exact functionality which we borrowed from Yahoo Groups. Yet I've seen no response from you yet, and only one half dismissive response from another mailman developer.

I looked through your code and my feeling is not integrating this patch in 2.1.6. The Decorate.py file was considerably patched in CVS by myself and it will take time to adjust the submitted 2.1.5 patch. Also, there are some functions copied from other sources not importing nor inheriting. And, if you write code for immediate integration in the CVS, you should read http://barry.warsaw.us/software/STYLEGUIDE.txt and PEP 8, or at least read the existing code and learn the style.

...

Mailman CAN be as good - and better - than Yahoo Groups. It doesn't have to take lots of money and resources. Just being willing to accept our code a piece at a time, and encouraging those who contribute will go a long way towards getting there. There may be some disagreement on the unsubscribe styff, but the header/footer handling only benefits everyone. I certainly hope that the mailman team will be responsive, and accept these patches and integrate them into the codebase. From my side we'll do whatever it takes to make that happen. Just tell us what we have to do.

I think the patch should be available in the SF tracker and tested by users who want the functionality. Number of unofficial patches are living like this. It took two years for my first patch (subject prefix numbering) to be integrated in the CVS. ;-)

-- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/

-- Tobias Eigen Executive Director

Kabissa - Space for Change in Africa http://www.kabissa.org

• Kabissa's vision is for a socially, economically, politically, and environmentally vibrant Africa, supported by a strong network of effective civil society organizations. *

Tobias Eigen wrote:

...

...

What I envision having in my Mailman/Mambo system is a single user database with one password per username for all services. Users can then go to a simple preferences page on Mambo and do basic things like change their email address or password, tick a box to opt in/out of various mailings, and in particular opt to receive no mail at all.

Hello Tobias,

I have been meaning to respond to several of your emails lately, but free time has been scarce. We seem to have the same goal, and many people are looking for the same thing, too -- a Yahoogroups-ish solution. I looked at Mailman for this for quite a while before coming to the realization that it just wasn't going to happen easily. There are simply too many problems with MM 2.x: one-to-one relationships between members and lists, awkward pickle file storage, limited customization capabilities and much more. To me, radical changes are required in the mailing list software. And I believe this needs to happen in the Mailman 3 project due to the considerable design changes required. Barry is already looking at significant changes for MM3 such as SQL-based storage (this in itself is huge for our purposes), so I would suggest that efforts should be spent there.

I'd like to invite you to work with my organization, Bellanet, in any way possible. We are also in the international development sector and have been wanting to create an open source version of our Dgroups product (see www.dgroups.org) using Mailman and a CMS. In our case we were favoring Xaraya. But MM 2.x just wasn't going to cut it. We are looking at putting $ into MM3, and, as it turns out, we want some African developer involvement. Please contact me off-list if you're interested in brainstorming. I really want to help move MM3 development forward -- with money and/or people -- so that creating a YahooGroups tool, using your favorite CMS as a frontend, would be a cinch.

BARRY: would now be a good time to re-energize discussions on the MM3 development list? What is your time like? And are there any plans for a MM3 sprint? I can send people.

• Kevin

On Feb 16, 2005, at 8:54 AM, Tobias Eigen wrote:

I'm sorry to say it, but Mailman's web interfaces are extremely daunting and confusing.

As someone who's spent time documenting them... yes! They're useable, and people can learn them, but I know I noticed things that simply don't make sense to a lot of users. We've fixed the ones that came up a lot for me, but I'm sure there's others that I simply don't *see* any more because I'm so used to it.

And we're only talking about the frontend (listinfo interface) here now, not even the backend (admin interface) for list owners. The backend is so incredibly complex and overwhelming that it has become a serious stumbling block for us in offering a service that people will actually use.

Oh yes! I'm partway through documenting our existing admin interface and it's... hard. I love the flexibility offered through mailman, but explaining it to people is horribly difficult, and that's a bad sign for useability.

My biggest problem with mailman's interfaces is that they're *really* designed to expose the underlying mechanics. If you know how Mailman works, they're relatively easy to use. I don't usually mind this for the admin interfaces because I work with list admins who actually are motivated to learn some about how the system works. But a lot of list members (and list admins, just not mine) don't know how it works (and shouldn't need to know), and things fall apart then. The biggest one is the seperate-logins-for-all-lists sort of stuff. Many user don't understand (or care) that this reflects our (now seemingly flawed) architecture, and telling them "that's just the way it was designed" is kinda lame when it's clearly not the way it should work.

Has anybody considered having a usability expert look at the Mailman interfaces and redesign them so they make more sense from a user's point of view?

This *is* a good idea, especially for mailman 3, where I think we'll be redesigning a lot of the interfaces. It's harder with 2.1 because *changing* stuff can cause as many usability problems as it solves, but as I said, we've tweaked a few things since I started documenting, and minor changes can make things a whole lot easier sometimes.

So, any usability experts around who are willing to volunteer some time?

Okay, I'll admit it: I actually have some formal training in usability, but I'd rather someone with more if there's anyone out there.
(hellooo? If you don't want to admit it publicly, at least send me an email so I know who to ask?)

The gist of all usability studies is that the USERS are the one who should drive design of the interfaces. Not programmers, not usability experts, not managers of the users, not documenters of the interface.
And darned if we don't all have users. :)

So no excuses here -- we *can* do at least some simple usability studies. Ask your users what they love/hate about the interface! Ask them what "stupid" mistakes they make -- if lots of people do the same thing, it's probably our fault and not theirs. If you've got physical access to your users, see if you can watch them do certain tasks and note what they do wrong, what takes a long time, etc. Most of us *are* users as well as developers/admins/etc. What do we find to be a pain in the neck? Heck, what do we get asked over and over again? (I used to have people ask me regularly "How do I unsubscribe" until we changed the button "Edit Options" to say "Unsubscribe or Edit Options") What bugs are reported related to the interface? (this includes bugs that aren't really bugs, but rather that the user couldn't find the right way to do things) What behaves in ways that users don't expect? What feature requests are made?

So, gathering usability data isn't impossible. It's not going to be the best data ever, because there are much more scientific ways to go about this, but it *is* valid data and can be useful to us.

I think going through and gathering this data would be *really* helpful and could lead to a much better interface. What would be the best way to gather this information? Should we set up some pages in the wiki and make sure they're well known to users as a place to report this sort of thing? The only problem with wikis is that people will see that something's been reported and not bother to duplicate, whereas we will want to know how *many* people are bothered by things. Perhaps something with some quick voting-style "this bugs me too" option?
How can we make it easy for people to report usability concerns?

Any thoughts on how to do this? I'm willing to do a bit of coordination here to make sure this happens if people think we'll actually be able to use the information to make things better.

Terri

On Thu, Mar 03, 2005 at 01:38:38PM -0500, Terri Oda wrote:

On Feb 16, 2005, at 8:54 AM, Tobias Eigen wrote:

...

I'm sorry to say it, but Mailman's web interfaces are extremely daunting and confusing. <snip> And we're only talking about the frontend (listinfo interface) here now, not even the backend (admin interface) for list owners. The backend is so incredibly complex and overwhelming that it has become a serious stumbling block for us in offering a service that people will actually use.

Same here. I am considering writing a wrapper in front of the admin pages, with _lots_ of buttons removed. (Don't hold your breath for that, though.) Perhaps a newbie/expert toggle on the interface would be helpful. Lots of listadmins at the site here are overwhelmed by the sheer _amount_ of buttons.

Bye,

Joost

-- Joost van Baal http://abramowitz.uvt.nl/ Tilburg University j.e.vanbaal@uvt.nl The Netherlands

Hi all,

I'm glad to see this thread continuing. I agree completely with Terri,
Fil and Joost. I'm really impressed with Googlegroups.. I used it
recently and it works well from a usability standpoint. I think Joost
has hit the nail on the head about how Mailman works well if you want
to understand exactly what it is doing and how it works - most people
(as shown by Yahoogroups) don't need this anymore and can expect to be
shielded from it. Likewise the passwords in the welcome message.

It sounds like through changes to the email interfaces/templates, new
wrappers (liked that idea very much) and a toggle for expert/newbie
interfaces, as well as integration with forums for discussion lists, we
*can* make Mailman more usable by ordinary people.

BTW, for those (like Kabissa) considering non-open source options, I
see that Jive Forums has an "email gateway" that can handle Mailman
integration and MBOX importing. http://www.jivesoftware.com - they have
a nonprofit license option that is in the realm of the affordable.
Something for the FAQ?

So yes, Terri, count me in! I have a ready group of Kabissa members and
list owners who would be willing to help out with usability testing. We
also do training regularly and have training partners in Africa, so
could possibly take advantage of that to do usability testing with
them.

Waiting for MM3 might be too long for me - I am in the process of
overhauling Kabissa's interfaces and integrating them, and need to be
making more rapid progress on making Mailman work for me or replacing
it with something easier.

Cheers,

Tobias

On Mar 4, 2005, at 5:50 AM, Fil wrote:

...

Same here. I am considering writing a wrapper in front of the admin pages, with _lots_ of buttons removed. (Don't hold your breath for that, though.) Perhaps a newbie/expert toggle on the interface would
be helpful. Lots of listadmins at the site here are overwhelmed by the sheer _amount_ of buttons.

Most people don't care about options. On my site I have tried to
streamline the registration process: there is a popup window where you can type
in your email, and sub/unsub (whether you are or not already subscribed).

See for instance http://listes.rezo.net/popup/ (click on the first
link).

But the second most important place for usability is the welcome
message, which is loaded with options and jargon. I have replaced it with (in
French):

<<<<<<<<<<<<<<<<

---

%(welcome)s Votre adresse est inscrite sur la liste %(real_name)s@%(host_name)s

Merci.

---

Pour vous désabonner, une page vous est réservée %(optionsurl)s %(umbrella)s Ce mot de passe empêchera quiconque de vous désabonner contre votre gré : %(password)s.

Autres informations sur la liste %(real_name)s : %(listinfo_url)s

...

...

...

...

...

>>>>>>>

But I still find it too complex; we should get rid of the password
thing. People just nedd to know where they can see more options.

As for the web interface, from what I've seen I think GoogleGroups has
got the slickest interface for the moment.

-- Fil

---

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives:
http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/ tobias%40kabissa.org

Security Policy:
http://www.python.org/cgi-bin/faqw-mm.py?req=show&; file=faq01.027.htp

-- Tobias Eigen Executive Director

Kabissa - Space for Change in Africa http://www.kabissa.org

• Kabissa's vision is for a socially, economically, politically, and
  environmentally vibrant Africa, supported by a strong network of
  effective civil society organizations. *

On Mar 4, 2005, at 9:36 AM, Dale Newfield wrote:

There are important tradeoffs to consider. My only interaction with google groups is that I now receive about 150 pieces of spam from them every day. I am unable to stem this, and google won't help me to do so. As a result I have added a .procmail filter to junk every message that comes from google groups. I would argue that this makes google groups completely un-usable. I hope that mailman doesn't become so simple to use that it becomes more of a spam tool than it already is.

I'm confused... do you feel it's the interface and ease of use of that interface that makes google groups more of a source of spam, or is this just a general comment about the disadvantages of their system?

I'm just trying to see if you're trying to indicate something we should avoid if we start looking to them for inspiration on improving usability, or if you're just commenting on the other problems of the system (like suddenly making piles of email addresses available on the web when they'd been much safer from spammers while sitting on usenet.
I know google groups has increased the amount of spam I receive, but it's unrelated to their interface...)

Terri

At 8:54 AM -0500 2005-03-04, Tobias Eigen wrote:

BTW, for those (like Kabissa) considering non-open source options, I see that Jive Forums has an "email gateway" that can handle Mailman integration and MBOX importing. http://www.jivesoftware.com - they have a nonprofit license option that is in the realm of the affordable. Something for the FAQ?

Done.  FAQ 1.26 is updated.

-- Brad Knowles, brad@stop.mail-abuse.org

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

 -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
 Assembly to the Governor, November 11, 1755

SAGE member since 1995. See http://www.sage.org/ for more info.

At 3:56 PM -0500 2005-03-04, Terri Oda wrote:

Fixing some of the interface issues is probably easier in 3 (a lot of the way in which we handle list member preferences, especially) but I wouldn't be adverse to making changes in the 2.1 series if doing so looks feasible and we aren't going to cause heart attacks in users.

The problem is that to really fix a lot of things, you're going 

to need architectural changes within the system. By the time you've done that, you've done more work than to finish off all the work for mm3.

I think we have to prioritize things and decide what can feasibly 

be looked at to fix in the 2.x tree, and what's going to have to wait for mm3.

-- Brad Knowles, brad@stop.mail-abuse.org

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

 -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
 Assembly to the Governor, November 11, 1755

SAGE member since 1995. See http://www.sage.org/ for more info.

On Mar 4, 2005, at 5:50 AM, Fil wrote:

But I still find it too complex; we should get rid of the password thing. People just nedd to know where they can see more options.

I've been thinking a bunch about this since it was mentioned as a security problem a while back, and the more I think about it, the more I like the idea of not having passwords for regular users. (Or having it possible for admins to disable passwords for regular users.)

I was thinking that it'd be best replaced with timed email-authorization things, the way you can currently unsubscribe without a password. I don't know how long the timeout on those things are, but having it send you an email with a link to the archives or your options seems feasible. Having the links only be valid for a given time (say, an hour?) would reduce the threat of dictionary attacks *and* mean that more users can figure out how to do things on their own. ;)

Terri

Private mailing list archives. Needed for that.

Adrian Bye wrote:

Why even bother with passwords? They're good to include in the unsubscribe URL, so that if someone maliciously gets your list, they can't unsubscribe everyone manually. But mainstream commercial autoresponders have no passwords, and they work great.

Sure, it _is_ possible that someone could cause problems, which a password prevents. But in practice this rarely happens. We're not talking the 80/20 rule

• we're talking the 99.99/0.01 rule.

Your average user is over burdened with passwords, and most mailing lists are pretty low involvement - users don't want to have to remember another password just for a mailing list.

I've actually had some changes to my mailman install made so that users can unsubscribe without a password - I'll share the code next week so you can take a look at it. We also shorted the unsubscribe URLs so it was below 60 chars, ensuring that it would work more reliably and not get broken on some mail clients.

Getting rid of passwords would open up mailman to usage to a much wider range of users, which should mean more development resources and interest.

...

-----Original Message----- From: Bob Puff@NLE [mailto:bob@nleaudio.com] Sent: Thursday, February 10, 2005 2:30 PM To: Barry Warsaw Cc: mailman-developers@python.org Subject: Re: [Mailman-Developers] Hashing member passwords in config.pck

I've -always- disabled the monthly reminders, so that would be no great loss.

If we convert to one-way passwords, could the upgrade script convert the current passwords? It would be a -big- deal if everyone had to reset their passwords.

Bob

Barry Warsaw wrote:

...

I think CAN-2005-0202 gives us the opportunity to finally implement what we have long considered an embarrassing exposure in Mailman's config.pck databases. Member passwords are kept in this

database in the clear.

...

The obvious fix is to hash member passwords and keep only

the hash in

...

the database.

We haven't changed this before now for two reasons:

1. We would have to regenerate all member passwords, which is an administrative burden. We might also need to implement

checks to see

...

if the passwords were cleartext or hashed and do the password comparison accordingly.

2. This breaks all password reminders.

To fully address CAN-2005-0202 we're recommending sites regenerate their member passwords anyway, so this gives us an opening

to fix this

...

properly. And we have a better internal password generator now too.

As for #2, well, I think most people hate those password reminders anyway, and we've decided that they are going away for MM3.

I don't

...

think many people would shed too many tears if we killed

off monthly

...

password reminders for 2.1.6. Doing that would also eliminate the requirement for the site list, since its primary purpose is to function as the sender of the reminder messages.

To do this for 2.1.6, we'd have to change the "Email My

Password To Me"

...

feature in the options page and in the member login page.

These would

...

have to become a "create a new password for me" feature. Also, crontab.in should not call mailpasswds anymore, or that

script should

...

turn into a simple "here's the lists you are on" reminder,

without the

...

password information in it. This will require i18n updates too.

The downside to doing this now is that it's more coding

work for 2.1.6

...

and I'd like to get the new version out asap. Still, this

seems like

...

an opportunity that we shouldn't lightly dismiss.

What do you all think? Is anybody willing to take a crack

at a patch

...

for this?

-Barry

---

...

--

---

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe:

http://mail.python.org/mailman/options/mailman-developers/bob%40nleaud

...

io.com

---

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/adri an%40tasdevil.com

---

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com

this might not be a bad idea, but -- would require all operations to be validated via a URL emailed to the affected address. But I could live with that.

On Feb 10, 2005, at 10:44 AM, Adrian Bye wrote:

Getting rid of passwords would open up mailman to usage to a much wider range of users, which should mean more development resources and interest.

John W. Baxter wrote:

If the situation becomes a choice of

1. mail out the password becomes generate a new time-limited password and mail that Or
2. do away with passwords and have everything validated via a mailed-out URL

I think I as a user would prefer 2.

It is already hard enough to visit a private archive. E.g. if I have a link to a specific post and I follow it, by the time I get done logging in, my original link is forgotten and I go to the archive index instead.

If I now have to wait for an e-mail and follow some confirmation link, I'm going to give up before I ever get there.

I think there has to be a way to get directly to a private archive without going through some e-mailed confirmation. I might even be trying to access the archive from some machine that doesn't have access to the confirmation e-mail (perhaps a computer in a public library).

I agree that for most other things, e-mail confirmation is fine. I.e. if I go to my options page and change a few things, I don't mind having to answer an e-mail confirmation to make the changes effective, although I'm sure some would have privacy concerns about others being able to visit their options page without authorization.

Thus, on the whole I prefer passwords. Having to reset a forgotten password rather than being able to retrieve it would not be a problem for me.

-- Mark Sapiro msapiro@value.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Mark Sapiro schrieb:

I agree that for most other things, e-mail confirmation is fine. I.e. if I go to my options page and change a few things, I don't mind having to answer an e-mail confirmation to make the changes effective,

I do.

Thus, on the whole I prefer passwords. Having to reset a forgotten password rather than being able to retrieve it would not be a problem for me.

Yep. +1

I'm in agreement with Barry, that I don't think we should phase out passwords for 2.1.x. I know several of my users who sign up to the lists using their corporate mailbox, yet log in from home and view archives (they remember their password). I'd have people screaming bloody murder if the archives were required to have email confirmation for each read.

I'm sorry, but I just don't see other viable solutions except for passwords for this function. Every other "members-only" area on the internet today is authenticated by passwords, and they can be saved in the browsers for easy access.

I don't see a problem limiting the passwords to private archives though. Yes, email authentication is perfect for subscription changes.

So let me ask this: if we drop passwords for everything but the private archives, do we really need to do anything differently than the format currently in place? Do they really need to be one-way encrypted? Being able to email a forgotten password has its benefits.

For sites that don't use private archives, passwords would be a non-issue.

Bob

On Sat, 2005-02-12 at 05:33, Thomas Hochstein wrote:

I don't think so. I'd prefer to change options *immediately*, without having to wait until I get my mail (partly via UUCP).

I agree.

-Barry

... and then what happens when someone replies to the message, quoting the whole message? That "sensitive" URL is exposed.

-1.

Bob

---------- Original Message ----------- From: "Adrian Bye" adrian@tasdevil.com To: "'Barry Warsaw'" barry@python.org, "'Thomas Hochstein'" ml@ancalagon.inka.de Cc: mailman-developers@python.org Sent: Sat, 12 Feb 2005 13:08:55 -0400 Subject: RE: [Mailman-Developers] Hashing member passwords in config.pck

...

On Sat, 2005-02-12 at 05:33, Thomas Hochstein wrote:

...

I don't think so. I'd prefer to change options *immediately*, without having to wait until I get my mail (partly via UUCP).

I agree.

And without passwords, you don't have to. Instead of a password to access member options, you access it via the custom URL at the footer of every message. You can either save the URL in a password storage someplace, or just refer to an older message in your mail.

Adrian

---

Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com ------- End of Original Message -------

On Sat, 2005-02-12 at 02:07, Bob Puff wrote:

So let me ask this: if we drop passwords for everything but the private archives, do we really need to do anything differently than the format currently in place? Do they really need to be one-way encrypted? Being able to email a forgotten password has its benefits.

It's still worthwhile (in the long run) to hash the passwords. Some people tend to re-use them, so stealing Mailman passwords can potentially lead to cascading attacks. Password resets are fine.

-Barry

--On February 12, 2005 02:07:29 -0500 Bob Puff bob@nleaudio.com wrote:

I'm in agreement with Barry, that I don't think we should phase out passwords for 2.1.x. I know several of my users who sign up to the lists using their corporate mailbox, yet log in from home and view archives (they remember their password). I'd have people screaming bloody murder if the archives were required to have email confirmation for each read.

I'm sorry, but I just don't see other viable solutions except for passwords for this function. Every other "members-only" area on the internet today is authenticated by passwords, and they can be saved in the browsers for easy access.

+1. Actually, +15,000 for all the students and staff on campus that use Mailman here. They remember their passwords because they use them to log in to the machines on campus. Of course, I'd like Mailman to authenticate from our LDAP server instead of any password that Mailman stored - for users in our domain. For external users of our lists, then they'd need to have Mailman passwords - unless they had different functionality, I suppose.

-- Ian Eiloart Servers Team Sussex University ITS

On Thu, 2005-02-10 at 13:44, Adrian Bye wrote:

Why even bother with passwords? They're good to include in the unsubscribe URL, so that if someone maliciously gets your list, they can't unsubscribe everyone manually. But mainstream commercial autoresponders have no passwords, and they work great.

Since Mailman 2.1, passwords have not been required to unsubscribe, even though it is a common misconception that they are. I'm not sure why people forget that!

Actually, I think that if we just shut off the monthly reminder, 99% of Mailman users would never even know they had a password (who reads those welcome messages anyway?). They wouldn't care either because most people don't change their options and private archives aren't as common as public archives.

-Barry

On Fri, 2005-02-11 at 19:29, Adrian Bye wrote:

That sounds to me like the best of both worlds. Set it up so that no password is noticed for subscribing or unsubscribing. The password could be made completely transparent. Advanced users can access their password if they choose to do so for list archives, etc.

My point was that if you disable cron/mailpasswds, you get exactly as you describe.

-Barry

On Thu, 2005-02-10 at 13:29, Bob Puff@NLE wrote:

If we convert to one-way passwords, could the upgrade script convert the current passwords? It would be a -big- deal if everyone had to reset their passwords.

Yes, I think we could do that. I would not want to support a mix or dual-operation mode though. Either we hash or we don't.

-Barry