From gadgetsteve at live.co.uk Sat Sep 23 22:08:24 2017 From: gadgetsteve at live.co.uk (Steve Barnes) Date: Sun, 24 Sep 2017 02:08:24 +0000 Subject: [Security-sig] Fwd: List Settings Question In-Reply-To: References: Message-ID: I personally was very disappointed on signing up to the both this mailing list & security-announce to receive back an email containing my password in plain text with the promise of the same thing once a month unless I changed settings on the mail man site.. I would have thought that a security related list could provide better default practices than that! Is anybody else concerned about the idea? Steve Barnes. --- This email has been checked for viruses by AVG. http://www.avg.com -------------- next part -------------- An embedded message was scrubbed... From: Steve Barnes Subject: List Settings Question Date: Sat, 23 Sep 2017 10:36:47 +0000 Size: 6681 URL: From george at fischhof.hu Mon Sep 25 16:38:07 2017 From: george at fischhof.hu (George Fischhof) Date: Mon, 25 Sep 2017 22:38:07 +0200 Subject: [Security-sig] Fwd: List Settings Question In-Reply-To: References: Message-ID: 2017-09-24 4:08 GMT+02:00 Steve Barnes : > I personally was very disappointed on signing up to the both this > mailing list & security-announce to receive back an email containing my > password in plain text with the promise of the same thing once a month > unless I changed settings on the mail man site.. > > I would have thought that a security related list could provide better > default practices than that! > > Is anybody else concerned about the idea? > > Steve Barnes. > > > > > --- > This email has been checked for viruses by AVG. > http://www.avg.com > > > ---------- Tov?b?tott lev?l ---------- > From: Steve Barnes > To: "security-announce at python.org" > Cc: > Bcc: > Date: Sat, 23 Sep 2017 10:36:47 +0000 > Subject: List Settings Question > Does anybody else on this list think that sending out the passwords as > plain text once a month is an poor example of security to be setting? > > Personally I would rather not have this done with any of my passwords. > -- > Steve (Gadget) Barnes > Any opinions in this message are my personal opinions and do not reflect > those of my employer. > > --- > This email has been checked for viruses by AVG. > http://www.avg.com > > > _______________________________________________ > Security-SIG mailing list > Security-SIG at python.org > https://mail.python.org/mailman/listinfo/security-sig > > +1 George -------------- next part -------------- An HTML attachment was scrubbed... URL: From wes.turner at gmail.com Mon Sep 25 16:49:03 2017 From: wes.turner at gmail.com (Wes Turner) Date: Mon, 25 Sep 2017 15:49:03 -0500 Subject: [Security-sig] Fwd: List Settings Question In-Reply-To: References: Message-ID: These passwords should not be recoverable; because they should be only stored as a one-way salted hash with n rounds. Passlib has a number of password hashing functions: - https://passlib.readthedocs.io/en/stable/ - https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/ Is this fixed in Mailman3? http://www.list.org/download.html http://www.list.org/devs.html #security lists: mailman-security at python.org as the seclist for mailman. Mailman 2 src: https://launchpad.net/mailman Mailman 3 src: https://gitlab.com/groups/mailman On Saturday, September 23, 2017, Steve Barnes wrote: > I personally was very disappointed on signing up to the both this > mailing list & security-announce to receive back an email containing my > password in plain text with the promise of the same thing once a month > unless I changed settings on the mail man site.. > > I would have thought that a security related list could provide better > default practices than that! > > Is anybody else concerned about the idea? > > Steve Barnes. > > > > > --- > This email has been checked for viruses by AVG. > http://www.avg.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: From barry at python.org Mon Sep 25 17:09:02 2017 From: barry at python.org (Barry Warsaw) Date: Mon, 25 Sep 2017 17:09:02 -0400 Subject: [Security-sig] List Settings Question In-Reply-To: References: Message-ID: <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org> On Sep 25, 2017, at 16:49, Wes Turner wrote: > Is this fixed in Mailman3? Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth). What passwords Mailman 3 does keep are encrypted with passlib. Cheers, -Barry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From ncoghlan at gmail.com Mon Sep 25 22:58:30 2017 From: ncoghlan at gmail.com (Nick Coghlan) Date: Tue, 26 Sep 2017 12:58:30 +1000 Subject: [Security-sig] List Settings Question In-Reply-To: <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org> References: <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org> Message-ID: On 26 September 2017 at 07:09, Barry Warsaw wrote: > On Sep 25, 2017, at 16:49, Wes Turner wrote: > >> Is this fixed in Mailman3? > > Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth). What passwords Mailman 3 does keep are encrypted with passlib. Perhaps security-sig could blaze the trail by migrating off of MM2 and on to MM3? Eventually migrating all of mail.python.org is going to be a mammoth task, but it would be nice if we could at least stop digging the hole deeper by encouraging new lists to start out on MM3, and offering a way for list owners to request piecemeal migrations. Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia From victor.stinner at gmail.com Tue Sep 26 07:47:24 2017 From: victor.stinner at gmail.com (Victor Stinner) Date: Tue, 26 Sep 2017 13:47:24 +0200 Subject: [Security-sig] List Settings Question In-Reply-To: References: <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org> Message-ID: A few months, I asked postmaster for the creation of a new buildbot-status list. It was created with mailman3. Victor Le 26 sept. 2017 04:58, "Nick Coghlan" a ?crit : On 26 September 2017 at 07:09, Barry Warsaw wrote: > On Sep 25, 2017, at 16:49, Wes Turner wrote: > >> Is this fixed in Mailman3? > > Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth). What passwords Mailman 3 does keep are encrypted with passlib. Perhaps security-sig could blaze the trail by migrating off of MM2 and on to MM3? Eventually migrating all of mail.python.org is going to be a mammoth task, but it would be nice if we could at least stop digging the hole deeper by encouraging new lists to start out on MM3, and offering a way for list owners to request piecemeal migrations. Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia _______________________________________________ Security-SIG mailing list Security-SIG at python.org https://mail.python.org/mailman/listinfo/security-sig -------------- next part -------------- An HTML attachment was scrubbed... URL: From barry at python.org Tue Sep 26 10:12:21 2017 From: barry at python.org (Barry Warsaw) Date: Tue, 26 Sep 2017 10:12:21 -0400 Subject: [Security-sig] List Settings Question In-Reply-To: References: <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org> Message-ID: <190CA9A8-D485-49F5-A34C-258B156AEFB7@python.org> On Sep 25, 2017, at 22:58, Nick Coghlan wrote: > > Perhaps security-sig could blaze the trail by migrating off of MM2 and > on to MM3? I?ve made that request to postmaster at python.org, for both security-sig and security-announce. I?ll have to chat with Mark to see if there?s a way we can actively prevent new lists from being created on the MM2 instance (and whether we should!). -Barry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From mark at msapiro.net Tue Sep 26 11:57:09 2017 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 26 Sep 2017 08:57:09 -0700 Subject: [Security-sig] [Mailman-cabal] Fwd: List Settings Question In-Reply-To: References: Message-ID: On 09/25/2017 01:49 PM, Wes Turner wrote: > These passwords should not be recoverable; because they should be only > stored as a one-way salted hash with n rounds. This is a very well known issue with Mailman 2.1 and prior versions. See . ... > Is this fixed in Mailman3? Yes. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan