[Mailman-Users] Approved header, mailman password and security

Mark Sapiro mark at msapiro.net
Wed Apr 20 16:54:00 CEST 2011


Dag Wieers wrote:

>On Thu, 14 Apr 2011, Dag Wieers wrote:
>
>> We have been using the Approved header as a way to automatically approve 
>> commit logs to a read-only mailinglist. We recently moved our infrastructure 
>> to github and I wrote a patch to the github Email service hook to add an 
>> Approved header.
>>
>>    https://github.com/github/github-services/pull/84
>>
>> Now the problem of course is that this secret currently is either the list 
>> admin or the list moderator password, which is far from secure. Especially if 
>> the mails are not created on the mailman list server.
>>
>> So I would propose to allow to set a separate secret used for approved 
>> messages. If compromised, it's easy to change that secret on both sides.
>>
>> Is this acceptable ?
>
>I received no feedback on this. Shall I open a ticket for this, or is this 
>not considered valuable ?


Sorry for not responding sooner. I do think it is a good idea. Although
many lists do not need separate admins and moderators and could thus
use the moderator password in this way, I think a separate 'posters'
password would be a valuable change.

The problem is Mailman 2.1 is supposed to be feature frozen, and this
is a rather extensive change involving the web GUI to set the
password, and list migration changes to ensure that list objects have
the poster password attribute. We can certainly consider this for MM3.

Please open a tracker item at
<https://bugs.launchpad.net/mailman/+filebug>, and I'll see what I can
do.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan



More information about the Mailman-Users mailing list