Approved header, mailman password and security
Hi,
We have been using the Approved header as a way to automtically approve commit logs to a read-only mailinglist. We recently moved our infrastructure to github and I wrote a patch to the github Email service hook to add an Approved header.
https://github.com/github/github-services/pull/84Now the problem of course is that this secret currently is either the list admin or the list moderator password, which is far from secure. Especially if the mails are not created on the mailman list server.
So I would propose to allow to set a separate secret used for approved messages. If compromised, it's easy to change that secret on both sides.
Is this acceptable ?
Thanks in advance
-- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, info@dagit.net, http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
On Thu, 14 Apr 2011, Dag Wieers wrote:
I received no feedback on this. Shall I open a ticket for this, or is this not considered valuable ?
-- -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, info@dagit.net, http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
Dag Wieers wrote:
Sorry for not responding sooner. I do think it is a good idea. Although many lists do not need separate admins and moderators and could thus use the moderator password in this way, I think a separate 'posters' password would be a valuable change.
The problem is Mailman 2.1 is supposed to be feature frozen, and this is a rather extensive change involving the web GUI to set the password, and list migration changes to ensure that list objects have the poster password attribute. We can certainly consider this for MM3.
Please open a tracker item at <https://bugs.launchpad.net/mailman/+filebug>, and I'll see what I can do.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
I have created a tracker item at <https://bugs.launchpad.net/mailman/+bug/770581> for this and implemented it for Mailman 2.1.15.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Mon, 25 Apr 2011, Mark Sapiro wrote:
Hi Mark,
It's nice to return from a prolonged weekend to find this in the mailbox :) Thanks a lot !
PS I broke the news on github as well for future reference: https://github.com/github/github-services/pull/84
Kind regards,
-- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, info@dagit.net, http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
On Thu, 14 Apr 2011, Dag Wieers wrote:
I received no feedback on this. Shall I open a ticket for this, or is this not considered valuable ?
-- -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, info@dagit.net, http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
Dag Wieers wrote:
Sorry for not responding sooner. I do think it is a good idea. Although many lists do not need separate admins and moderators and could thus use the moderator password in this way, I think a separate 'posters' password would be a valuable change.
The problem is Mailman 2.1 is supposed to be feature frozen, and this is a rather extensive change involving the web GUI to set the password, and list migration changes to ensure that list objects have the poster password attribute. We can certainly consider this for MM3.
Please open a tracker item at <https://bugs.launchpad.net/mailman/+filebug>, and I'll see what I can do.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
I have created a tracker item at <https://bugs.launchpad.net/mailman/+bug/770581> for this and implemented it for Mailman 2.1.15.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Mon, 25 Apr 2011, Mark Sapiro wrote:
Hi Mark,
It's nice to return from a prolonged weekend to find this in the mailbox :) Thanks a lot !
PS I broke the news on github as well for future reference: https://github.com/github/github-services/pull/84
Kind regards,
-- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, info@dagit.net, http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
participants (2)
-
Dag Wieers -
Mark Sapiro