On Sun, 2020-09-20 at 18:23 +0900, Stephen J. Turnbull wrote:
I wrote:
I'm pretty sure that at least for now I[1] can configure a system to run Mailman 2 so that none of the above matters
"None of the above" includes other crypto.
I'm pretty sure that's pure FUD.
I do not agree. Besides being able to talk SMTP (and some people have used it, though I'm sure it's very few nowadays), Mailman 2 talks DNS (for DMARC) although I am not sure it can deal with secure DNS (in fact, I'm not sure anyone can ;-). DNS over HTTPS (DOH) is coming, which implies TLS.
You're on the Mailman Cabal and that's what you came up with?!?
Mailman 3's ARC handler has to do both encryption and decryption for ARC and decryption for DKIM, and that would be fairly easy to port (I'm pretty sure the underlying libraries are 2/3 compatible). (Ports are fair game because we're talking "future", and I imagine ARC support is something Jim Popovitch would like to have.)
You imagine wrong. I see ARC as a piece of the delivery phase, Mailman should sit well before that. Let's be realistic, nobody says "I'm gonna ditch my MTA and replace it with Mailman", just like nobody says "I'm going to process MLM email without a caching DNS resolver".
Any secure version of those protocols that Mailman 2 doesn't have could Mailman unusable if some important partner decides to require it.
I'm sure I'm missing stuff, too. So no, it may not be more likely than not (given current status of "EOL"), but it's not pure FUD. And if the "reopen Mailman 2 for features" crowd has its way, the likelihood goes up IMO (because I don't think they're likely to succeed in getting a sufficiently stable port of Mailman 2 to Python 3).
Challenge accepted! Gauntlet: If we succeed, I challenge you to retire immediately.
(You're right Barry, this is fun!)
-Jim P.