[Mailman-Developers] In regard to GSoc-17

[Stephen J. Turnbull]

Hi,

Apart from what Abhilash wrote, I have a few ;-) additional comments.

Bhavishya writes:

 > Hi, I saw the idea to create various kinds of encrypted lists,
 >  Could you elaborate the following:
 > 1)The amount of knowledge of security (and if possible the sources
 > to achieve the same)

You need to understand what a "threat model" is, and the structure of
a mailing list as a system to know what threats can be defended
against, and to decide which threats to defend against.  You need to
understand how mailing lists and the mail system work in some detail,
and what the use cases for encrypted lists might be.  For self-study,
you could start with Bruce Schneier's blog, especially his famous post
on "the security mindset", and with Steve Bellovin's book, _Thinking
Security_.  Bellovin's book has many references.  The core mail
security RFCs are enumerated below.

The code for various encryption algorithms is already available in the
standard library (OpenSSL, for example, although a lot of people
deprecate it) and in 3rd-party libraries on PyPI.  Writing encryption
modules is not part of this task.

 > 2)The development environment (what else is required apart from
 > linux)

Python 2.7, Python 3.5 (both 2.7 and 3.5 are currently *required*),
plus Python 3.6 if you're adventurous (GNU Mailman 3 doesn't
officially support Python 3.6 yet), modules from PyPI as-needed.  Your
Python(s) must be built to support OpenSSL, or some other source of
implementations for encryption algorithms.  git.  The Mailman Suite
(the subprojects mailman, mailmanclient, django-mailman3, postorius,
hyperkitty, mailman-hyperkitty) from http://gitlab.com/mailman.
(Dependencies for the suite will be installed automatically by the
setup.py for each component.)  An MTA, either Postfix (most popular
among Mailman core developers) or Exim4 (supported).  Sendmail and
Qmail may be usable but are not advised unless you can provide support
for them yourself -- there is ZERO support in Mailman 3 itself.  It
may not be very hard to support a new MTA (it took me 10 minutes to
configure Exim4 and 30 to write the docs), but you won't get much help
from us.  Why risk it?  It would be nice if you have a test domain
where you can install Mailman on the standard SMTP port 25 or
submission port 587, but testing on localhost is acceptable.

 > 3)Any other task for me to strengthen my application(I would try
 > fixing bugs on my level though)

Get an account on gitlab.  Read the FAQ for Mailman 2, the archives
for mailman-users, mailman-developers, and mailman3-users to get some
idea of the level and needs of our users.  Subscribe to those lists.

Take a look at RFCs 5321 (SMTP), 5322 (Internet Message Format), 4949
(security glossary), and 5598 (email architecture).  Bookmark them and
RFCs 2045 (MIME), 2046 (MIME), 2387 (multipart/related), 2015
(MIME/PGP), 3156 (MIME/OpenPGP), 5751 (S/MIME), and 5752 (multiple
signatures).

I recommend reading all the way through RFC 4949, as a complement to
Schneier's blog and Bellovin's book (or similar).  RFC 5598 is very
important, as it is fundamental to understanding the threat models
involved in email and indirect flows including mailing lists.  Read
the abstracts and introductions to RFCs 5321 and 5322, as
understanding the basic concepts of email are going to be very
important.  For the rest just bookmarking is fine.  We would
eventually be referring to them in the implementation most likely, but
you don't need to be totally familiar for the application.

Steve