Fwd: List Settings Question
I personally was very disappointed on signing up to the both this mailing list & security-announce to receive back an email containing my password in plain text with the promise of the same thing once a month unless I changed settings on the mail man site..
I would have thought that a security related list could provide better default practices than that!
Is anybody else concerned about the idea?
Steve Barnes.
--- This email has been checked for viruses by AVG. http://www.avg.com
2017-09-24 4:08 GMT+02:00 Steve Barnes gadgetsteve@live.co.uk:
I personally was very disappointed on signing up to the both this mailing list & security-announce to receive back an email containing my password in plain text with the promise of the same thing once a month unless I changed settings on the mail man site..
I would have thought that a security related list could provide better default practices than that!
Is anybody else concerned about the idea?
Steve Barnes.
This email has been checked for viruses by AVG. http://www.avg.com
---------- Továbított levél ---------- From: Steve Barnes gadgetsteve@live.co.uk To: "security-announce@python.org" security-announce@python.org Cc: Bcc: Date: Sat, 23 Sep 2017 10:36:47 +0000 Subject: List Settings Question Does anybody else on this list think that sending out the passwords as plain text once a month is an poor example of security to be setting?
Personally I would rather not have this done with any of my passwords.
Steve (Gadget) Barnes Any opinions in this message are my personal opinions and do not reflect those of my employer.
This email has been checked for viruses by AVG. http://www.avg.com
Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
+1 George
These passwords should not be recoverable; because they should be only stored as a one-way salted hash with n rounds.
Passlib has a number of password hashing functions:
- https://passlib.readthedocs.io/en/stable/
- https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/
Is this fixed in Mailman3?
http://www.list.org/download.html
http://www.list.org/devs.html #security lists:
mailman-security@python.org
as the seclist for mailman.
Mailman 2 src: https://launchpad.net/mailman
Mailman 3 src: https://gitlab.com/groups/mailman
On Saturday, September 23, 2017, Steve Barnes gadgetsteve@live.co.uk wrote:
I personally was very disappointed on signing up to the both this mailing list & security-announce to receive back an email containing my password in plain text with the promise of the same thing once a month unless I changed settings on the mail man site..
I would have thought that a security related list could provide better default practices than that!
Is anybody else concerned about the idea?
Steve Barnes.
This email has been checked for viruses by AVG. http://www.avg.com
On Sep 25, 2017, at 16:49, Wes Turner wes.turner@gmail.com wrote:
Is this fixed in Mailman3?
Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth). What passwords Mailman 3 does keep are encrypted with passlib.
Cheers, -Barry
On 26 September 2017 at 07:09, Barry Warsaw barry@python.org wrote:
On Sep 25, 2017, at 16:49, Wes Turner wes.turner@gmail.com wrote:
Is this fixed in Mailman3?
Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth). What passwords Mailman 3 does keep are encrypted with passlib.
Perhaps security-sig could blaze the trail by migrating off of MM2 and on to MM3?
Eventually migrating all of mail.python.org is going to be a mammoth task, but it would be nice if we could at least stop digging the hole deeper by encouraging new lists to start out on MM3, and offering a way for list owners to request piecemeal migrations.
Cheers, Nick.
A few months, I asked postmaster for the creation of a new buildbot-status list. It was created with mailman3.
Victor
Le 26 sept. 2017 04:58, "Nick Coghlan" ncoghlan@gmail.com a écrit :
On 26 September 2017 at 07:09, Barry Warsaw barry@python.org wrote:
On Sep 25, 2017, at 16:49, Wes Turner wes.turner@gmail.com wrote:
Is this fixed in Mailman3?
Mailman 3 does not send password reminders and barely requires passwords
(although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth). What passwords Mailman 3 does keep are encrypted with passlib.
Perhaps security-sig could blaze the trail by migrating off of MM2 and on to MM3?
Eventually migrating all of mail.python.org is going to be a mammoth task, but it would be nice if we could at least stop digging the hole deeper by encouraging new lists to start out on MM3, and offering a way for list owners to request piecemeal migrations.
Cheers, Nick.
-- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
On Sep 25, 2017, at 22:58, Nick Coghlan ncoghlan@gmail.com wrote:
Perhaps security-sig could blaze the trail by migrating off of MM2 and on to MM3?
I’ve made that request to postmaster@python.org, for both security-sig and security-announce. I’ll have to chat with Mark to see if there’s a way we can actively prevent new lists from being created on the MM2 instance (and whether we should!).
-Barry
On 09/25/2017 01:49 PM, Wes Turner wrote:
These passwords should not be recoverable; because they should be only stored as a one-way salted hash with n rounds.
This is a very well known issue with Mailman 2.1 and prior versions. See https://bugs.launchpad.net/mailman/+bug/265179.
...
Is this fixed in Mailman3?
Yes.
participants (7)
-
Barry Warsaw -
George Fischhof -
Mark Sapiro -
Nick Coghlan -
Steve Barnes -
Victor Stinner -
Wes Turner