[Mailman-Users] Re: cleartext passwords
Chuq Von Rospach
chuqui at plaidworks.com
Mon Oct 2 18:41:45 CEST 2000
At 8:54 AM -0700 10/2/00, alex wetmore wrote:
>Mailman passwords should not be considered secure.
You know that, I know that. Does the average user understand what
you're saying when you say that? Probably not. can you explain it to
them? Will they listen?
By my experience, a small percentage don't listen, no matter what you
do. When I migrated to Mailman, I subscribed everyone in msg mode,
and sent two (count them, two) messages to the lists explaining the
migration and warning everyone that if they wanted digests, to go
turn digest mode back on.
I'm *still* getting messages from people unsubscribing because "I
liked it better when I just got one message a day" -- sigh.
By the way, one thing I've done, and I recommend it strongly, is I've
added a note to the unsubscribe notes that says something like "we're
sorry you're leaving. If you'd like to tell us why, we'd like to
hear..." and a contact mailto. A fair number do, and while 50% are
simply letting us know they're changing addresses (Mailman really
needs an address change function), it's a useful way to get feedback,
and it's helped me pull back six or seven members who were clueless
over the digest stuff.
Mailman's subscribe page does a good job of warning folks about the
passwords. But you can't assume they'll pay attention.
> They are only a
>minor feature to prevent others from unsubscribing you.
In all my years of running lists, I can only think of one case where
this happened. And it happened to me, when a dweeb had a fight with
me as ListAdmin and decided to display some testosterone. He
regretted that fight.
if the reason you're doing this is to protect from unsubscribe slams,
I wouldn't bother. Unsubscribe fights are so rare that the complexity
isn't worth it. We have to protect against subscribe slams and the
various list-based attacks, but unsubscribe fights generally come
from fights ON a list, and can be handled by any listadmin who isn't
comatose. you KNOW who the idiot is if it happens...
>I do wish that Mailman had the option to just have confirmation email
>for any list configuration changes. This would be simpler for most
>users (especially since most of my users do the "send my password to me"
>to unsub anyway).
Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui at plaidworks.com)
Apple Mail List Gnome (mailto:chuq at apple.com)
You seem a decent fellow. I hate to die.
More information about the Mailman-Users