[Mailman-Developers] Monthly reminder sent by mailman-owner considered harmful

[Harald Meland]

[Bart Schaefer]

> On 4 Jun 1999, Harald Meland wrote:
> 
> > [Bart Schaefer]
> > 
> > > Consider the possibility that I, unaware that this is going to take
> > > place, subscribe an address that represents a local exploder.  At
> > > some later time everyone on that local list is going to be given my
> > > password
> > 
> > If you're adding other people's addresses, then how would they be able
> > to unsubscribe later
> 
> Because my "local exploder" is a news gateway and they simply use their
> newsreader to subscribe/unsubscribe the newsgroup.  Or because my exploder
> is another mailing list manager so they can subscribe/unsubscribe from the
> local list.  Neither of these is an uncommon situation.

I have no problem seeing the usefulness of adding non-personal
addresses to mailing lists.  I was merely stating that you shouldn't
be using a very "private" password when doing so (i.e. don't use
passwords that are used for other subscriptions as well).

[ Even if the automatic reminders are turned off, people can still go
  to the list's member page (if it is open), click on some member
  address, and click on the "Send me my password now" button to have
  Mailman distribute the password to the member (which could be an
  exploder). ]

In cases like these, there _will be_ loopholes in Mailman's "security
mechanisms", unless you introduce some new concepts -- e.g. a "member
owner address" that receives all administrative requests regarding
it's associated member.

The umbrella list feature of Mailman solves these things for lists
where _all_ the member are exploders, but not for lists with both user
and list members.  I have been thinking about implementing a more
general solution after 1.0 is out, but the list of post-1.0 things to
do is getting pretty long... :)
-- 
Harald