On Tue, Nov 1, 2011 at 9:25 PM, Stephen J. Turnbull stephen@xemacs.org wrote:
Jeffrey Walton writes:
> I wish these list managers would get a f**king clue and do things > securely.
By which you mean what? What we've learned over the last 30 years is that when application developers try to do security, they generally miss something. AFAICS Mailman 2 did the right thing for its time: provide minimal security against idle mischief and admit that there was no security against hell-bent miscreants. The best I can tell, Mailman 2 did the wrong thing. "Password Security: A Case History", www.cs.bell-labs.com/who/dmr/passwd.ps. Written in 1978.
Mailman 3 is taking advantage of a decade of progress in security and network application design, and providing the hooks needed to allow admins to configure system security services. (This can be done with Mailman 2 as well, but not as smoothly.) If Mailman 3 only provides hooks - as opposed to securely storing the secret - then Mailman 3 has problems out of the box. In this case, it would be no better than Mailman 2. Confer: list managers did not fix Mailman 2 (nor did they use other software which was secure). Why would you expect them to research and securely configure Mailman 3?
Jeff