I don't know if this has been previously posted, but looking through my files for my mailing lists, I've noticed that each users password is located in the config.db file in plain text.
While this isn't a termendous problem right now for me, I can see where this would be a problem for others. Is this on the list of things to do/change?
I'm not speaking for the developers here, but I doubt that there's very little that can be done. I suppose that the password could be converted to a different form before it's stored (something like ROT13, for example), but that's just as crackable if you know what you're doing. mailman does need to be able to retrieve the password in its original state to send it out to users (so a function like crypt() wouldn't do).
However... I've noticed in the past that the config.db file for each
list is set to be readable by anyone by default. This has to change or
else any user can do a strings config.db
and pull out passwords.
Chris