Fwd: List Settings Question
I personally was very disappointed on signing up to the both this mailing list & security-announce to receive back an email containing my password in plain text with the promise of the same thing once a month unless I changed settings on the mail man site.. I would have thought that a security related list could provide better default practices than that! Is anybody else concerned about the idea? Steve Barnes. --- This email has been checked for viruses by AVG. http://www.avg.com
2017-09-24 4:08 GMT+02:00 Steve Barnes <gadgetsteve@live.co.uk>:
I personally was very disappointed on signing up to the both this mailing list & security-announce to receive back an email containing my password in plain text with the promise of the same thing once a month unless I changed settings on the mail man site..
I would have thought that a security related list could provide better default practices than that!
Is anybody else concerned about the idea?
Steve Barnes.
--- This email has been checked for viruses by AVG. http://www.avg.com
---------- Továbított levél ---------- From: Steve Barnes <gadgetsteve@live.co.uk> To: "security-announce@python.org" <security-announce@python.org> Cc: Bcc: Date: Sat, 23 Sep 2017 10:36:47 +0000 Subject: List Settings Question Does anybody else on this list think that sending out the passwords as plain text once a month is an poor example of security to be setting?
Personally I would rather not have this done with any of my passwords. -- Steve (Gadget) Barnes Any opinions in this message are my personal opinions and do not reflect those of my employer.
--- This email has been checked for viruses by AVG. http://www.avg.com
_______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
+1 George
These passwords should not be recoverable; because they should be only stored as a one-way salted hash with n rounds. Passlib has a number of password hashing functions: - https://passlib.readthedocs.io/en/stable/ - https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/ Is this fixed in Mailman3? http://www.list.org/download.html http://www.list.org/devs.html #security lists: mailman-security@python.org as the seclist for mailman. Mailman 2 src: https://launchpad.net/mailman Mailman 3 src: https://gitlab.com/groups/mailman On Saturday, September 23, 2017, Steve Barnes <gadgetsteve@live.co.uk> wrote:
I personally was very disappointed on signing up to the both this mailing list & security-announce to receive back an email containing my password in plain text with the promise of the same thing once a month unless I changed settings on the mail man site..
I would have thought that a security related list could provide better default practices than that!
Is anybody else concerned about the idea?
Steve Barnes.
--- This email has been checked for viruses by AVG. http://www.avg.com
On Sep 25, 2017, at 16:49, Wes Turner <wes.turner@gmail.com> wrote:
Is this fixed in Mailman3?
Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth). What passwords Mailman 3 does keep are encrypted with passlib. Cheers, -Barry
On 26 September 2017 at 07:09, Barry Warsaw <barry@python.org> wrote:
On Sep 25, 2017, at 16:49, Wes Turner <wes.turner@gmail.com> wrote:
Is this fixed in Mailman3?
Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth). What passwords Mailman 3 does keep are encrypted with passlib.
Perhaps security-sig could blaze the trail by migrating off of MM2 and on to MM3? Eventually migrating all of mail.python.org is going to be a mammoth task, but it would be nice if we could at least stop digging the hole deeper by encouraging new lists to start out on MM3, and offering a way for list owners to request piecemeal migrations. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
A few months, I asked postmaster for the creation of a new buildbot-status list. It was created with mailman3. Victor Le 26 sept. 2017 04:58, "Nick Coghlan" <ncoghlan@gmail.com> a écrit : On 26 September 2017 at 07:09, Barry Warsaw <barry@python.org> wrote:
On Sep 25, 2017, at 16:49, Wes Turner <wes.turner@gmail.com> wrote:
Is this fixed in Mailman3?
Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth). What passwords Mailman 3 does keep are encrypted with passlib.
Perhaps security-sig could blaze the trail by migrating off of MM2 and on to MM3? Eventually migrating all of mail.python.org is going to be a mammoth task, but it would be nice if we could at least stop digging the hole deeper by encouraging new lists to start out on MM3, and offering a way for list owners to request piecemeal migrations. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
On Sep 25, 2017, at 22:58, Nick Coghlan <ncoghlan@gmail.com> wrote:
Perhaps security-sig could blaze the trail by migrating off of MM2 and on to MM3?
I’ve made that request to postmaster@python.org, for both security-sig and security-announce. I’ll have to chat with Mark to see if there’s a way we can actively prevent new lists from being created on the MM2 instance (and whether we should!). -Barry
On 09/25/2017 01:49 PM, Wes Turner wrote:
These passwords should not be recoverable; because they should be only stored as a one-way salted hash with n rounds.
This is a very well known issue with Mailman 2.1 and prior versions. See <https://bugs.launchpad.net/mailman/+bug/265179>. ...
Is this fixed in Mailman3?
Yes. -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (7)
-
Barry Warsaw -
George Fischhof -
Mark Sapiro -
Nick Coghlan -
Steve Barnes -
Victor Stinner -
Wes Turner