From mss at mawhrin.net Fri Apr 1 12:43:16 2005 From: mss at mawhrin.net (Mikhail Sobolev) Date: Fri Apr 1 12:43:20 2005 Subject: [Mailman-Developers] Mysql Adaptor Message-ID: <20050401104316.GA28979@mawhrin.net> Hi I searched the mailing list and found this MySql Adaptor for mailman. As far as I can see, it's not included in the release. Thus I have several questions: 1. Are there any particular reasons why it's included? 2. Can people who use this adaptor share their experience? Kind Regards -- Misha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mail.python.org/pipermail/mailman-developers/attachments/20050401/8d5911fb/attachment.pgp From mss at mawhrin.net Tue Apr 5 02:41:27 2005 From: mss at mawhrin.net (Mikhail Sobolev) Date: Tue Apr 5 02:41:31 2005 Subject: [Mailman-Developers] setup with central database Message-ID: <20050405004127.GA30305@mawhrin.net> Hi I'd like to create a rather special installation of mailman. Environment central user database, with its own methods of add/removing/modifying users, as well as disabling (temporarily of permanently) apache2 serves all stuff Access to the website (to any part of it) is restricted to authenticated users Now we came to the interesting part. If I just install the mailman as it is, the user would have to enter the authentication information twice, thus the first question: is it possible to somehow "re-use" the authentication information? From the other hand, it should be impossible to subscribe people who are not in the user database. And as soon as they are disabled, they do not receive any more mailings. Does anybody have any ideas how to implement such a setup? Right now I have a strong feeling that it's gonna require quite a bit of coding, and I'd really like to avoid it. Kind Regards -- Misha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mail.python.org/pipermail/mailman-developers/attachments/20050405/feec9fec/attachment.pgp From brad at stop.mail-abuse.org Tue Apr 5 10:50:50 2005 From: brad at stop.mail-abuse.org (Brad Knowles) Date: Tue Apr 5 11:42:16 2005 Subject: [Mailman-Developers] setup with central database In-Reply-To: <20050405004127.GA30305@mawhrin.net> References: <20050405004127.GA30305@mawhrin.net> Message-ID: At 4:41 AM +0400 2005-04-05, Mikhail Sobolev wrote: > Right now I have a strong feeling that it's gonna require quite a bit of > coding, and I'd really like to avoid it. Yeah, it's called Mailman3. -- Brad Knowles, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See for more info. From mss at mawhrin.net Tue Apr 5 13:15:48 2005 From: mss at mawhrin.net (Mikhail Sobolev) Date: Tue Apr 5 13:15:52 2005 Subject: [Mailman-Developers] setup with central database In-Reply-To: References: <20050405004127.GA30305@mawhrin.net> Message-ID: <20050405111548.GA29046@mawhrin.net> On Tue, Apr 05, 2005 at 10:50:50AM +0200, Brad Knowles wrote: > At 4:41 AM +0400 2005-04-05, Mikhail Sobolev wrote: > > > Right now I have a strong feeling that it's gonna require quite a bit of > > coding, and I'd really like to avoid it. > > Yeah, it's called Mailman3. Good to know :) Is it usable already? :) At least beta? On a serious note, any ideas about the schedule? Regards, -- Misha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mail.python.org/pipermail/mailman-developers/attachments/20050405/d9a46920/attachment.pgp From brad at stop.mail-abuse.org Tue Apr 5 14:02:56 2005 From: brad at stop.mail-abuse.org (Brad Knowles) Date: Tue Apr 5 14:03:58 2005 Subject: [Mailman-Developers] setup with central database In-Reply-To: <20050405111548.GA29046@mawhrin.net> References: <20050405004127.GA30305@mawhrin.net> <20050405111548.GA29046@mawhrin.net> Message-ID: At 3:15 PM +0400 2005-04-05, Mikhail Sobolev wrote: >>> Right now I have a strong feeling that it's gonna require quite a bit of >>> coding, and I'd really like to avoid it. >> >> Yeah, it's called Mailman3. > > Good to know :) Is it usable already? :) At least beta? It's still in the architecture/development phase. Not even alpha yet. > On a serious note, any ideas about the schedule? You'd need to talk to Barry about that. -- Brad Knowles, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See for more info. From terri at zone12.com Tue Apr 5 22:51:09 2005 From: terri at zone12.com (Terri Oda) Date: Tue Apr 5 22:49:31 2005 Subject: [Mailman-Developers] setup with central database In-Reply-To: <20050405004127.GA30305@mawhrin.net> References: <20050405004127.GA30305@mawhrin.net> Message-ID: <8273dd8c71bf6dc2e3e9d1b023a30d9e@zone12.com> On Apr 4, 2005, at 8:41 PM, Mikhail Sobolev wrote: > Environment > central user database, with its own methods of add/removing/modifying > users, as well as disabling (temporarily of permanently) > > apache2 serves all stuff > > Access to the website (to any part of it) is restricted to > authenticated users Brad's hit the nail on the head: what you really want is mailman3, which isn't available yet. It's a pretty common set of requests! In the meantime, for #1, you should take a look at the initiatives to use various databses with Mailman. I thought some people had some success with mysql? And for #3, you might want to look at information like that found in the FAQ http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.007.htp and see about setting something up to make it all work together. It'll be a bit hacked, but i doubt that it's *impossible*... You might also want to do some searches through the list archives... I'm pretty sure there've been a few people who've hacked up solutions for these things, and they might be willing to share some information with you. Terri From jpr at uab.edu Tue Apr 5 23:12:36 2005 From: jpr at uab.edu (John-Paul Robinson) Date: Tue Apr 5 23:12:42 2005 Subject: [Mailman-Developers] setup with central database In-Reply-To: <8273dd8c71bf6dc2e3e9d1b023a30d9e@zone12.com> Message-ID: I think this is an excellent example of the type of requirements that are influencing mailman3. I've been working as part of the Internet2 Mlist working group over the last year to help identify these types of requirements (eg. middleware integration) and what they mean to and how they influence mailing list software in general. You might find this material interesting: http://middleware.internet2.edu/mlist/ http://webapp.lab.ac.uab.edu/wiki/mlist If you have a near term deliverable you may want to have a look at an alternative mailing list service called Sympa (also GPL but Perl-based). It supports SQL queries for list subscribers. I'm not advocating competing software, just pointing out options. My belief is that over the next 5 years we will see mailing list software become a pluggable component of larger software systems. All requirements point in this direction. Having software that integrates nicely with external data (leverages middleware in Internet2 terminology) will make it more likely that one component can be replaced by another if need be. Similar to how you might choose one word processor over another, depending on your requirements and personal preferences. ~jpr On Tue, 5 Apr 2005, Terri Oda wrote: > > On Apr 4, 2005, at 8:41 PM, Mikhail Sobolev wrote: > > Environment > > central user database, with its own methods of add/removing/modifying > > users, as well as disabling (temporarily of permanently) > > > > apache2 serves all stuff > > > > Access to the website (to any part of it) is restricted to > > authenticated users > > Brad's hit the nail on the head: what you really want is mailman3, > which isn't available yet. It's a pretty common set of requests! > > In the meantime, for #1, you should take a look at the initiatives to > use various databses with Mailman. I thought some people had some > success with mysql? > > And for #3, you might want to look at information like that found in > the FAQ > http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.007.htp > and see about setting something up to make it all work together. It'll > be a bit hacked, but i doubt that it's *impossible*... > > You might also want to do some searches through the list archives... > I'm pretty sure there've been a few people who've hacked up solutions > for these things, and they might be willing to share some information > with you. > > Terri > > _______________________________________________ > Mailman-Developers mailing list > Mailman-Developers@python.org > http://mail.python.org/mailman/listinfo/mailman-developers > Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py > Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ > Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/jpr%40uab.edu > > Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp > From jwt at onjapan.net Tue Apr 12 03:15:06 2005 From: jwt at onjapan.net (Jim Tittsler) Date: Tue Apr 12 03:14:37 2005 Subject: [Mailman-Developers] 2.1.6b5: admin/www/mailman-install.* needs rebuilding Message-ID: <8433b4d9bd1a37cfd794a34ae421b2d3@onjapan.net> The admin/www/mailman-install.* files included in the 2.1.6b tarballs need to be rebuilt so they pick up the typo corrected in doc/mailman-install.tex. -- Jim Tittsler http://www.OnJapan.net/ GPG: 0x01159DB6 Python Starship http://Starship.Python.net/crew/jwt/ Mailman IRC irc://irc.freenode.net/#mailman From tkikuchi at is.kochi-u.ac.jp Thu Apr 14 15:08:30 2005 From: tkikuchi at is.kochi-u.ac.jp (Tokio Kikuchi) Date: Thu Apr 14 15:08:55 2005 Subject: [Mailman-Developers] Mailman 2.1.6 release candidate up Message-ID: <425E6B4E.4080902@is.kochi-u.ac.jp> Hi all, Now we are on the last stage before the final release of 2.1.6. After the release of 2.1.6b5, we've got translation updates from the language champions including Leona for zh_CN (Chinese, China). Hopefully, I will be able to release the 2.1.6 final within a week. Cheers, -- Tokio Kikuchi tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/ From tkikuchi at is.kochi-u.ac.jp Thu Apr 14 15:16:13 2005 From: tkikuchi at is.kochi-u.ac.jp (Tokio Kikuchi) Date: Thu Apr 14 15:16:23 2005 Subject: [Mailman-Developers] Mailman 2.1.6 release candidate up Message-ID: <425E6D1D.5030001@is.kochi-u.ac.jp> Sorry that I forget to add the download pointer; http://sourceforge.net/project/showfiles.php?group_id=103 or http://mm.tkikuchi.net/mailman-2.1.6rc1.tgz Hi all, Now we are on the last stage before the final release of 2.1.6. After the release of 2.1.6b5, we've got translation updates from the language champions including Leona for zh_CN (Chinese, China). Hopefully, I will be able to release the 2.1.6 final within a week. Cheers, -- Tokio Kikuchi tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/ From tkikuchi at is.kochi-u.ac.jp Fri Apr 22 06:09:09 2005 From: tkikuchi at is.kochi-u.ac.jp (Tokio Kikuchi) Date: Fri Apr 22 06:09:20 2005 Subject: [Mailman-Developers] Mailman 2.1.6 2nd release candidate Message-ID: <426878E5.8050303@is.kochi-u.ac.jp> Hi all, Afrer the release of RC1, we had a couple of reasons to delay the final, including a move of FSF office in the end of this month which are to be included in all the copyleft notices in the files. I will also become busy on my paid duties and the final release of 2.1.6 may not occur by the middle of May. :-< So, we have much time to test or translate this 2nd release candidate for the final 2.1.6. http://sourceforge.net/project/showfiles.php?group_id=103 or http://mm.tkikuchi.net/mailman-2.1.6rc2.tgz Cheers, -- Tokio Kikuchi tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/ From tkikuchi at is.kochi-u.ac.jp Fri Apr 22 23:53:45 2005 From: tkikuchi at is.kochi-u.ac.jp (Tokio Kikuchi) Date: Fri Apr 22 23:53:50 2005 Subject: [Mailman-Developers] [Fwd: [ mailman-Bugs-1188133 ] CGI group id not properly tested] Message-ID: <42697269.1000300@is.kochi-u.ac.jp> Hi Developers, There is a rumor that mailman security check is not proper and recommending patch to void our security check. Can someone write a refutation to this article? (In a fluent English of course ;-) -------- Original Message -------- Subject: [ mailman-Bugs-1188133 ] CGI group id not properly tested Date: Fri, 22 Apr 2005 07:58:37 -0700 From: SourceForge.net Reply-To: mailman-developers@python.org To: noreply@sourceforge.net Bugs item #1188133, was opened at 2005-04-22 15:58 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1188133&group_id=103 Category: Web/CGI Group: 2.1 (stable) Status: Open Resolution: None Priority: 5 Submitted By: Graham Klyne (grahamk) Assigned to: Nobody/Anonymous (nobody) Summary: CGI group id not properly tested Initial Comment: [I tried to send this to mailman-developers, but my message was discarded] I've just downloaded and installed the latest mailman 2.1.6rc1 and encountered a CGI permissions problem (running with Apache 2.0 on Scientific Linux 3.04), for which a patch is described in: http://minaret.biz/tips/mailman.html (briefly, replace getgid with getegid in common.c) Applying this patch resolves the problem I was experiencing. Is there any reason this isn't applied in the mailman distribution? #g ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1188133&group_id=103 _______________________________________________ Mailman-coders mailing list Mailman-coders@python.org http://mail.python.org/mailman/listinfo/mailman-coders -- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/ From jdennis at redhat.com Sat Apr 23 21:27:43 2005 From: jdennis at redhat.com (John Dennis) Date: Sat Apr 23 21:27:54 2005 Subject: [Mailman-Developers] [Fwd: [ mailman-Bugs-1188133 ] CGI group id not properly tested] In-Reply-To: <42697269.1000300@is.kochi-u.ac.jp> References: <42697269.1000300@is.kochi-u.ac.jp> Message-ID: <1114284463.1353.70.camel@localhost.localdomain> On Sat, 2005-04-23 at 06:53 +0900, Tokio Kikuchi wrote: > Hi Developers, > > There is a rumor that mailman security check is not proper and > recommending patch to void our security check. Can someone write > a refutation to this article? (In a fluent English of course ;-) > Bugs item #1188133, was opened at 2005-04-22 15:58 > Message generated for change (Tracker Item Submitted) made by Item Submitter > You can respond by visiting: > https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1188133&group_id=103 I believe Geoff Mottram may be confused with how mailman's security works. Normally when a process is invoked it is run with the owner and group of the process that invoked it. It does not execute with the owner and group belonging to the executable (unless it is setuid or setgid respectively). The mailman executable is setgid mailman. This means no matter who runs it, it will execute with its group set to mailman. Mailman's security is group based, anything mailman attempts to do will only succeed if the process attempting to perform the operation is a member of the mailman group. This is why the mailman "wrapper" is setgid mailman. No matter who invokes it, it runs as if it were a member of the mailman group (not the group of process that invoked it). Thus it has permission to perform mailman operations because it is executing as a member of the mailman group. But wait! That means anybody can invoke the mailman wrapper program and perform mailman operations because the wrapper when it starts to execute will immediately assume the mailman group identity granting it full mailman permissions. Thus we need a way to say "only a select set of trusted processes can invoke me". In other words, if somebody askes me to run and do mailman operations, do I trust the entity that asked me to do this? The trust question is answered by identifying the group of the process that asked me to run, in short, "if you're not a member of a group I trust I refuse to perform mailman operations". The group of the process that invoked mailman is the real group, this is the group that is being validated. If that validity check passes then all further operations occur under the effective group id of mailman, which is exactly what we want. Thus Mr. Mottram has confused the role of the real and effective group id in the validation check because it is the real group id that identifies the process that invoked mailman, and it is this id that we need to validate is a trusted process. If the change he proposes were implemented, to test the effective id, then the trust question become "if I am me", which is trivally true because of the setgid property, then the validty check always succeeds no matter who invoked mailman and all security is defeated. Note: I have only responded to this list, I have not updated the original bug posting. -- John Dennis From tkikuchi at is.kochi-u.ac.jp Sun Apr 24 01:58:18 2005 From: tkikuchi at is.kochi-u.ac.jp (Tokio Kikuchi) Date: Sun Apr 24 01:58:24 2005 Subject: [Mailman-Developers] [Fwd: [ mailman-Bugs-1188133 ] CGI group id not properly tested] In-Reply-To: <1114284463.1353.70.camel@localhost.localdomain> References: <42697269.1000300@is.kochi-u.ac.jp> <1114284463.1353.70.camel@localhost.localdomain> Message-ID: <426AE11A.1030507@is.kochi-u.ac.jp> Thank you John! I've updated the bug tracker. Mr. Mottram also changed his page after a little discussion with me. John Dennis wrote: > On Sat, 2005-04-23 at 06:53 +0900, Tokio Kikuchi wrote: > >>Hi Developers, >> >>There is a rumor that mailman security check is not proper and >>recommending patch to void our security check. Can someone write >>a refutation to this article? (In a fluent English of course ;-) > > >>Bugs item #1188133, was opened at 2005-04-22 15:58 >>Message generated for change (Tracker Item Submitted) made by Item Submitter >>You can respond by visiting: >>https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1188133&group_id=103 > > > I believe Geoff Mottram may be confused with how mailman's security > works. > (snip) > Note: I have only responded to this list, I have not updated the > original bug posting. > -- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/ From carbonnb at gmail.com Sun Apr 24 14:31:59 2005 From: carbonnb at gmail.com (Bryan Carbonnell) Date: Sun Apr 24 14:32:03 2005 Subject: [Mailman-Developers] XHTML Compliant Web UI - 2.1.6 Patch Message-ID: I have just uploaded a patch that will make the web UI for MM 2.1.6rc1 XHTML 1 strict compliant. This patch allows for some CSS formatting as well. I have tried to make all the pages compliant, but I may have missed some combinations of pages and options, so if you find some that aren't compliant, please let me know which page isn't compliant and under which circumstances it's not. It it patch 1160353 in the Sourceforge Mailman patch repository. http://sourceforge.net/tracker/index.php?func=detail&aid=1160353&group _id=103&atid=300103 If anyone has any feedback on it, I'd love to hear it,since this is my first attempt at something like this. -- Bryan Carbonnell - carbonnb@gmail.com Life's journey is not to arrive at the grave safely in a well preserved body, but rather to skid in sideways, totally worn out, shouting "What a great ride!" From barry at python.org Sun Apr 24 22:16:11 2005 From: barry at python.org (Barry Warsaw) Date: Sun Apr 24 22:16:16 2005 Subject: [Mailman-Developers] [Fwd: [ mailman-Bugs-1188133 ] CGI group id not properly tested] In-Reply-To: <426AE11A.1030507@is.kochi-u.ac.jp> References: <42697269.1000300@is.kochi-u.ac.jp> <1114284463.1353.70.camel@localhost.localdomain> <426AE11A.1030507@is.kochi-u.ac.jp> Message-ID: <1114373771.11662.2.camel@presto.wooz.org> On Sat, 2005-04-23 at 19:58, Tokio Kikuchi wrote: > Thank you John! I've updated the bug tracker. Mr. Mottram also changed > his page after a little discussion with me. BTW, note that Postfix generally isn't susceptible to this misunderstanding because Postfix will run its mail programs using the user and group owner of the alias file the filter program is defined in. Because the typical Postfix+Mailman installation is using the /usr/local/mailman/data/aliases.db file that is group owned by mailman, --with-mail-gid=mailman /is/ the right value to use. -Barry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://mail.python.org/pipermail/mailman-developers/attachments/20050424/ae1c6177/attachment.pgp From Nigel.Metheringham at dev.intechnology.co.uk Mon Apr 25 10:53:35 2005 From: Nigel.Metheringham at dev.intechnology.co.uk (Nigel Metheringham) Date: Mon Apr 25 10:53:37 2005 Subject: [Mailman-Developers] [Fwd: [ mailman-Bugs-1188133 ] CGI group id not properly tested] In-Reply-To: <1114373771.11662.2.camel@presto.wooz.org> References: <42697269.1000300@is.kochi-u.ac.jp> <1114284463.1353.70.camel@localhost.localdomain> <426AE11A.1030507@is.kochi-u.ac.jp> <1114373771.11662.2.camel@presto.wooz.org> Message-ID: <1114419215.5791.2.camel@angua.localnet> On Sun, 2005-04-24 at 16:16 -0400, Barry Warsaw wrote: > BTW, note that Postfix generally isn't susceptible to this > misunderstanding because Postfix will run its mail programs using the > user and group owner of the alias file the filter program is defined > in. Because the typical Postfix+Mailman installation is using the > /usr/local/mailman/data/aliases.db file that is group owned by mailman, > --with-mail-gid=mailman /is/ the right value to use. Similar arrangements exist with exim. The normal policy with the exim/Mailman configuration is to set the invoking uid/gid for the mailman wrapper suit whatever mailman was built for. [This is particularly useful when you are using a packaged mailman, which was probably built by someone considering how things work for sendmail] Nigel. -- [ Nigel Metheringham Nigel.Metheringham@InTechnology.co.uk ] [ - Comments in this message are my own and not ITO opinion/policy - ] From terri at zone12.com Thu Apr 28 20:10:37 2005 From: terri at zone12.com (Terri Oda) Date: Fri Apr 29 02:32:30 2005 Subject: [Mailman-Developers] XHTML Compliant Web UI - 2.1.6 Patch In-Reply-To: References: Message-ID: On Apr 24, 2005, at 8:31 AM, Bryan Carbonnell wrote: > I have just uploaded a patch that will make the web UI for MM 2.1.6rc1 > XHTML 1 strict compliant. This patch allows for some CSS formatting as > well. I haven't looked at the patch itself yet, but +1 to the idea of making the interface XHTML and CSS friendly. From marshman at frozenbear.com Sat Apr 30 00:09:27 2005 From: marshman at frozenbear.com (=?ISO-8859-1?Q?Jeff=20Marshall?=) Date: Sat Apr 30 00:09:34 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring Message-ID: <200504292211.j3TMBbr29010@glin.devaudio.com> I have submitted a patch to SourceForge for consideration. Feature: - New third party archiving option that uses The Mail Archive. The implementation subscribes or unsubscribes the archive@mail-archive.com address from the subscriber list. The benefit to the list admin is to have a one-click setup option to provide them with mirroring and searchable archives. We (me and the other Jeff that admin The Mail Archive) have spoken with Lars at Gmane to see if we could make this work for Gmane as well, but he said their subscription process is manual and requires extra information, so Lars didn't think it would work for him. Patch was made against the latest CVS in branch Release_2_1-maint, which is currently 2.1.6rc3. Feedback? Thanks. Jeff Marshall marshman@frozenbear.com From barry at python.org Sat Apr 30 02:14:20 2005 From: barry at python.org (Barry Warsaw) Date: Sat Apr 30 02:14:26 2005 Subject: [Mailman-Developers] Mailman 2.1.6 release candidate 3 Message-ID: <1114820060.21515.43.camel@geddy.wooz.org> Release candidate 3 for Mailman 2.1.6 is now available. This fixes a late-breaking problem with RFC 2231 encoded headers containing bogus or non-existent charsets. Specifically, this release includes an updated version of the email package (2.5.6). Please try this version out as much as possible. Hopefully Tokio and I will get a 2.1.6 final out in about two weeks. -Barry https://sourceforge.net/project/showfiles.php?group_id=103&package_id=69562&release_id=324205 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://mail.python.org/pipermail/mailman-developers/attachments/20050429/a9236d9f/attachment.pgp From brad at stop.mail-abuse.org Sat Apr 30 02:36:01 2005 From: brad at stop.mail-abuse.org (Brad Knowles) Date: Sat Apr 30 03:07:47 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring In-Reply-To: <200504292211.j3TMBbr29010@glin.devaudio.com> References: <200504292211.j3TMBbr29010@glin.devaudio.com> Message-ID: At 3:09 PM -0700 2005-04-29, Jeff Marshall wrote: > Feedback? Speaking as the listmaster for ntp.isc.org (and ntp.org, back before all those lists got moved), I can say that I would not be opposed to this patch, if you would be willing to guarantee that you would not archive or mirror any mailing lists except through this sort of mechanism, and that adequate protections were built into the system. I ran into a problem where gmane was archiving some of our mailing lists (going back quite some time), and we didn't discover this fact until much, much later. Lars was nice enough to comply with our request to remove our lists from gmane, but these kinds of operations should not be done without a positive and explicit approval from the listmaster. So far as I know, gmane had never done that for our lists. They also had a minor problem where a couple of days after we requested that he remove all of our lists from his system, a new request from gmane came in to mirror/archive one of our other lists, which we obviously rejected. We also complained about this to Lars, and he apologized for not having recorded our preference to avoid mirroring/archiving any of our lists across the whole system. I know that mail-archive.com provides mirroring/archiving services for mailman-users and mailman-developers, and apparently you've had that arrangement through Barry for quite some time. So long as that was an explicit arrangement you had with the listmaster, I don't mind that continuing to remain. However, I do generally prefer to let mailing list servers provide their own archives and search functions. If the request came in today from mail-archive.com to do this function for mailman-users or mailman-developers, I would be opposed to it -- not strongly opposed, and I'd probably be out-voted by the other people who would have a say in this decision, but I would still be opposed. Nevertheless, I recognize that some people may place a higher value on having an external site provide mirroring/archiving services, and I don't mind making it easier for Mailman administrators to make use of such functions. However, I would want to make sure that these features are difficult to abuse or misuse, and I would want to make sure that all existing subscriptions get converted over to this kind of service as it becomes available, so that the additional protective measures are applied as broadly as possible. Is that waffley enough for you? ;) -- Brad Knowles, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See for more info. From stephen at xemacs.org Sat Apr 30 10:01:12 2005 From: stephen at xemacs.org (Stephen J. Turnbull) Date: Sat Apr 30 10:01:20 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring In-Reply-To: (Brad Knowles's message of "Sat, 30 Apr 2005 02:36:01 +0200") References: <200504292211.j3TMBbr29010@glin.devaudio.com> Message-ID: <87pswcg0c7.fsf@tleepslib.sk.tsukuba.ac.jp> >>>>> "Brad" == Brad Knowles writes: Brad> Lars was nice enough to comply with our request to Brad> remove our lists from gmane, but these kinds of operations Brad> should not be done without a positive and explicit approval Brad> from the listmaster. Any subscriber might be keeping and publishing an archive of the list posts. If the listmaster doesn't like that, he should be vetting each subscription, and making sure that each subscriber understands the rules. [Otherwise ... under copyright law, the listmaster has no interest in the posts. That implies that if the posters get upset about this, the listmaster is liable, as well as (and maybe more so) the 3rd party archiver.] I don't see why Gmane or the Mail Archive should have to obey special rules here. I think there are two issues here. The first is privacy. That is served simply by defaulting this feature off, and documenting whatever the policy of The Mail Archive is in the configuration process, and advising caution on the part of list admins, as they might be legally liable for 3rd party misbehavior. This actually answers most of your worries, Brad; ie, if Gmane gatewaying were part of the Mailman configuration process rather than at Gmane's option, your ntp lists would never have been gatewayed and archived, right? And the default and the docs are under mailman-developers control. I'm sure that if Jeff & Jeff didn't like the blurb because it was too accurate :-), Barry would be happy to remove the patch, but surely he wouldn't cover up potential problems in the doc or turn it on by default. The second is that this patch evidently constitutes a significant endorsement of The Mail Archive. As I understand Jeff's post, he went to the trouble of asking Lars if he would like a similar setup added for Gmane, patch to be coded by Jeff || Jeff. I have to admit that somebody who would go to that much trouble to implement the same feature for a close substitute sounds pretty endorsable to me! ... if Mailman is going to endorse services that way. I don't really think it's a good idea in principle, though. What happens if The Mail Archive goes away or goes proprietary? What are people going to think if The Mail Archive's maintainers hire Barry or Brad? Etc, etc. On the pro side, there is the point that this would make such mirroring an opt-in on the listmaster's side, which is good. So it might be worth Mailman thinking about under what conditions it would be good to make such an endorsement, and adding anybody who satisfied those conditions. -- School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN Ask not how you can "do" free software business; ask what your business can "do for" free software. From brad at stop.mail-abuse.org Sat Apr 30 15:46:49 2005 From: brad at stop.mail-abuse.org (Brad Knowles) Date: Sat Apr 30 15:47:07 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring In-Reply-To: <87pswcg0c7.fsf@tleepslib.sk.tsukuba.ac.jp> References: <200504292211.j3TMBbr29010@glin.devaudio.com> <87pswcg0c7.fsf@tleepslib.sk.tsukuba.ac.jp> Message-ID: At 5:01 PM +0900 2005-04-30, Stephen J. Turnbull wrote: > Any subscriber might be keeping and publishing an archive of the list > posts. True enough. > If the listmaster doesn't like that, he should be vetting each > subscription, and making sure that each subscriber understands the > rules. We do that as much as we can. We don't really care about some of the lists, but there are others we care about a great deal. In the particular case of Gmane, I think they either added our lists to their archives at a time when their policies weren't so clear, or they did so before I became the listmaster, and the people who were around for that role did not remember any conversations with the Gmane people. > This actually answers most of your > worries, Brad; ie, if Gmane gatewaying were part of the Mailman > configuration process rather than at Gmane's option, your ntp lists > would never have been gatewayed and archived, right? If I could guarantee that I always had full control over that process, from my end and without requiring any intervention on the part of personnel at Gmane (or mail-archive.com, or whomever), then I'd be happy with that part. > The second is that this patch evidently constitutes a significant > endorsement of The Mail Archive. I had thought about that too, but I couldn't come up with anything more than a recognition of the fact, so I didn't mention it. My original response was unclear enough as it was, and I knew it -- I didn't want to muddy the waters further. > ... if Mailman is going to endorse services that way. I don't really > think it's a good idea in principle, though. What happens if The Mail > Archive goes away or goes proprietary? What are people going to think > if The Mail Archive's maintainers hire Barry or Brad? Etc, etc. Good questions. I don't think I have any answers. -- Brad Knowles, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See for more info. From lists05 at equinephotoart.com Sat Apr 30 17:05:31 2005 From: lists05 at equinephotoart.com (JC Dill) Date: Sat Apr 30 17:05:38 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring In-Reply-To: <87pswcg0c7.fsf@tleepslib.sk.tsukuba.ac.jp> References: <200504292211.j3TMBbr29010@glin.devaudio.com> <87pswcg0c7.fsf@tleepslib.sk.tsukuba.ac.jp> Message-ID: <42739EBB.5090205@equinephotoart.com> Stephen J. Turnbull wrote: >The second is that this patch evidently constitutes a significant >endorsement of The Mail Archive. As I understand Jeff's post, he went >to the trouble of asking Lars if he would like a similar setup added >for Gmane, patch to be coded by Jeff || Jeff. I have to admit that >somebody who would go to that much trouble to implement the same >feature for a close substitute sounds pretty endorsable to me! > >... if Mailman is going to endorse services that way. I don't really >think it's a good idea in principle, though. What happens if The Mail >Archive goes away or goes proprietary? What are people going to think >if The Mail Archive's maintainers hire Barry or Brad? Etc, etc. > >On the pro side, there is the point that this would make such >mirroring an opt-in on the listmaster's side, which is good. So it >might be worth Mailman thinking about under what conditions it would >be good to make such an endorsement, and adding anybody who satisfied >those conditions. > I personally don't see it as being a significant endorsement. AIUI, it's a patch that allows 2 software programs to work well together. Mailman already provides patches or directions to make mailman work well with qmail and postfix, but I don't believe this constitutes an "endorsement" of qmail and/or postfix. Patches/directions that make mailman work well with archivers are similar - both with local archiver software and with mirror "site" archiver software. The documentation for these patches (or directions) should simply make it clear that the other programs - *all* the other programs (qmail, postfix, MHonArc, gmane, Mail Archive, etc.) - are not Mailman programs, and that the patches (or directions) are included solely for those who want to make mailman work well with the indicated outside-provided software or service. A simple patch philosophy that will address this and future patches: If the patch is incorporated into the main mailman build then the default state should be "off" so that the listmaster has to proactively turn the feature "on" for their mailman list server. If the patch remains as an add-on feature that has to be downloaded separately from the main build, then the default state could be "on" (since downloading the patch separately would be a clear indication that the listmaster desired to implement this feature on their mailman list server). This should be the same for all patches that specifically enable cooperation between mailman and any other outside-provided software or service. IMHO, etc. Caveat: I'm not a developer so those of you who actually write code and build/install the software (I just run it after someone else installed it for me :-) have much more say on this than I do. So if you hate my idea, speak up! jc From stephen at xemacs.org Sat Apr 30 17:53:32 2005 From: stephen at xemacs.org (Stephen J. Turnbull) Date: Sat Apr 30 17:53:37 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring In-Reply-To: <42739EBB.5090205@equinephotoart.com> (JC Dill's message of "Sat, 30 Apr 2005 08:05:31 -0700") References: <200504292211.j3TMBbr29010@glin.devaudio.com> <87pswcg0c7.fsf@tleepslib.sk.tsukuba.ac.jp> <42739EBB.5090205@equinephotoart.com> Message-ID: <87u0lodzwj.fsf@tleepslib.sk.tsukuba.ac.jp> >>>>> "JC" == JC Dill writes: JC> I personally don't see it as being a significant endorsement. JC> AIUI, it's a patch that allows 2 software programs to work JC> well together. My understanding is that the programs already work well together; you just type "archive@mail-archive.org" into "Mass Subscribe", hit "Submit" and you're there. The patch changes this to "one-click," ie, advertises the Mail Archive as part of the ordinary configuration process. This is very different from patching the docs to explain that the Mail Archive is an alternative / supplement to pipermail, MHonArc, or Gmane. >From a technical standpoint, I'm all for it (subject to the "defaults to OFF" policy). Archiving is a sore point with all the MLMs; giving admins another easy-to-install option is a plus. But from a support and PR standpoint, I think it does constitute an endorsement. -- School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN Ask not how you can "do" free software business; ask what your business can "do for" free software. From lists05 at equinephotoart.com Sat Apr 30 18:36:07 2005 From: lists05 at equinephotoart.com (JC Dill) Date: Sat Apr 30 18:36:09 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring In-Reply-To: <87u0lodzwj.fsf@tleepslib.sk.tsukuba.ac.jp> References: <200504292211.j3TMBbr29010@glin.devaudio.com> <87pswcg0c7.fsf@tleepslib.sk.tsukuba.ac.jp> <42739EBB.5090205@equinephotoart.com> <87u0lodzwj.fsf@tleepslib.sk.tsukuba.ac.jp> Message-ID: <4273B3F7.1070801@equinephotoart.com> Stephen J. Turnbull wrote: >>>>>>"JC" == JC Dill writes: >>>>>> >>>>>> > > JC> I personally don't see it as being a significant endorsement. > JC> AIUI, it's a patch that allows 2 software programs to work > JC> well together. > >My understanding is that the programs already work well together; you >just type "archive@mail-archive.org" into "Mass Subscribe", hit >"Submit" and you're there. The patch changes this to "one-click," ie, >advertises the Mail Archive as part of the ordinary configuration >process. > But *only* for lists on a server whose listmaster has explicitly: A) patched mailman to add this feature or B) toggled the setting in a mailman install to turn this feature on. so it's the *listmaster* who has to do something to make this available for the server users in the ordinary configuration process. > This is very different from patching the docs to explain >that the Mail Archive is an alternative / supplement to pipermail, >MHonArc, or Gmane. > > Mailman is what the listmaster makes of it, isn't it? The listmaster makes various decisions about how to patch and install mailman on their particular server. Once installed, it's not "our mailman" it is "their mailman" with the features and customization the listmaster selects. A patch that defaults to "off" unless the listmaster does something explicit to turn it on (by downloading a separate patch or by specifically changing the setting to "on") is not an endorsement, IMHO. It's just one more feature that allows the listmaster to easily customize mailman for their particular user needs. >>From a technical standpoint, I'm all for it (subject to the "defaults >to OFF" policy). Archiving is a sore point with all the MLMs; giving >admins another easy-to-install option is a plus. But from a support >and PR standpoint, I think it does constitute an endorsement. > > Would it help if the patch documentation elaborated on this concern? Example: This patch is provided for those who wish to enable their list owners to have a one-click option to have their lists archived with The Mail Archive. This patch is not an endorsement for The Mail Archive, each mailman server installer needs to make their own determination if this feature is desired on their server or not. jc From ml at ancalagon.inka.de Sat Apr 30 12:48:47 2005 From: ml at ancalagon.inka.de (Thomas Hochstein) Date: Sat Apr 30 18:41:55 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring References: <200504292211.j3TMBbr29010@glin.devaudio.com> Message-ID: Jeff Marshall schrieb: > - New third party archiving option that uses The Mail Archive. The > implementation subscribes or unsubscribes the > archive@mail-archive.com address from the subscriber list. Am I missing something, or wouldn't it be enough for a listowner who wishes to use that service to subscribe archive@mail-archive.com to the list to achieve that goal? Regards, -thh From marshman at frozenbear.com Sat Apr 30 19:37:15 2005 From: marshman at frozenbear.com (=?ISO-8859-1?Q?Jeff=20Marshall?=) Date: Sat Apr 30 19:37:21 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring Message-ID: <200504301739.j3UHdPr28187@glin.devaudio.com> Thomas Hochstein wrote: > Am I missing something, or wouldn't it be enough for a listowner who > wishes to use that service to subscribe archive@mail-archive.com to > the list to achieve that goal? Yes, although the patch contains two options. The first is the option to archive externally at mail-archive.com. The second option asks if the list admin wants to treat the external archive as primary, which sets the List-Archive header and the link on the list info page to the external archive. This is for admins that prefer a searchable archive as their primary. (It'd be nicer if RFC 2369 stated that the List-Archive header could support multiple URLs, but it doesn't.) The other positive for adding external archiving/mirroring as a Yes/No option is that it is helpful for list admins that don't know the services exist. The Mailman FAQ entry "How do I make the archives searchable" is a bit daunting, whereas this gives admins an easy option right in the Gui. The option for mail-archive.com mirroring is defaulted to No. This is a great discussion so far. Jeff From chuqui at plaidworks.com Sat Apr 30 19:51:00 2005 From: chuqui at plaidworks.com (Chuq Von Rospach) Date: Sat Apr 30 19:51:13 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring In-Reply-To: <87pswcg0c7.fsf@tleepslib.sk.tsukuba.ac.jp> References: <200504292211.j3TMBbr29010@glin.devaudio.com> <87pswcg0c7.fsf@tleepslib.sk.tsukuba.ac.jp> Message-ID: <3340FFD3-57BA-4CF7-923F-9CAA164F5A8A@plaidworks.com> > Brad> Lars was nice enough to comply with our request to > Brad> remove our lists from gmane, but these kinds of operations > Brad> should not be done without a positive and explicit approval > Brad> from the listmaster. > > Any subscriber might be keeping and publishing an archive of the list > posts. If the listmaster doesn't like that, he should be vetting each > subscription, and making sure that each subscriber understands the > rules. If the listmaster has a position, it ought to be pusblished in the list rules, and the users should abide by that. problem is, users generally don't read the rules, but if it's not published, the owner has only himself to blame. > [Otherwise ... under copyright law, the listmaster has no > interest in the posts. That's arguable at best. > the 3rd party archiver.] I don't see why Gmane or the Mail Archive > should have to obey special rules here. > because it's the list owners list, and they have the final say on how its run. Not the users. If the users don't like it, they can go start their own lists, not attempt to co-opt policy on someone else's list. > > The second is that this patch evidently constitutes a significant > endorsement of The Mail Archive. no more than adding in a HOWTO on running with postfix is an endosement of postfix. > ... if Mailman is going to endorse services that way. I don't really > think it's a good idea in principle, though. What happens if The Mail > Archive goes away or goes proprietary? then we disable the patch. No biggie. As long as it's not mandatory, I don't see a problem here. > From tobias at kabissa.org Sat Apr 30 20:33:39 2005 From: tobias at kabissa.org (Tobias Eigen) Date: Sat Apr 30 20:33:44 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring In-Reply-To: References: <200504292211.j3TMBbr29010@glin.devaudio.com> Message-ID: <4945d6d882e151d8b7c8086f2eb01efe@kabissa.org> >> - New third party archiving option that uses The Mail Archive. The >> implementation subscribes or unsubscribes the >> archive@mail-archive.com address from the subscriber list. I find this whole discussion fascinating. I've been thinking about these types of possibilities for a while, and have been watching gmane and mail-archive off and on for inspiration for what Kabissa might do. Archiving is getting to be a big 'problem' at Kabissa currently, esp as our archives get older and bigger, and we desire to move to a more interactive and useful format for archiving discussions and making them more accessible via the web, i.e. in forums. Maybe the short-term answer is to encourage the listowners of our very busy lists to move their archives to mail-archive or gmane. In my view, this sort of functionality belongs at the other end - the site that wants to provide the archiving service. Over the years I've been toying with the idea of developing a tool hosted at Kabissa that would enable our members (organizations working in Africa) to submit lists that they want to archive and make accessible via Kabissa... both lists hosted on Kabissa's own mailman and those hosted elsewhere. This would be beneficial because the list may not be well archived elsewhere (chronic problem with pipermail archives), may otherwise only be archived at Yahoogroups (advertising driven and not easy to export archive to move it later - also don't include attachments), or may not be archived at all. Part of the process of submitting the list for archiving on Kabissa (providing name, description, home page, subscribe instructions etc) would optionally include subscribing an email address at Kabissa to the list itself. The described patch to Mailman is very interesting, though, and I'm glad it's been done. I haven't tried the patch, but from what I'm hearing the issue of it appearing to endorse one or other archives can be dealt with by making the feature customizable - i.e. have a control line where mailman admins can configure whatever external archiver they want, with completely configurable fields: the name/description of the archiver and the email address to automatically add. The mail-archive and gmane options would be included as examples but commented out. Without opening a can of worms, hopefully, let me close with one last thought. I realize this has probably been discussed ad nauseum in other places, but there's a bit of a flaw in all this. Email addresses can be faked, and so an archiver based on email is going to be fraught with problems - or at least a whole lot of spam on the archives once the spammers figure out how it works. On our own system, we use Mailman's own archiver subsystem for gatewaying messages to our Fud Forum (http://www.fudforum.org). Another way I've tried successfully is through the use of an email address made up of random characters that gets delivered to Fud. That works fine, and since the list is on Kabissa (managed by me) and the Fud is on Kabissa, the likelihood of spammers getting in by spoofing addresses is pretty low. Anyway, contact me off list if you want to discuss this further, esp if you can point me to resources/threads where this issue is dealt with to your satisfaction - it will help me to convince developers of various forums that it's worth opening the door to e-mail list/forum gatewaying. Here's a classic example of a thread on the Simple Machines Forum board: http://www.simplemachines.org/community/index.php?topic=10166.0 Cheers, Tobias -- Tobias Eigen Executive Director Kabissa - Space for Change in Africa http://www.kabissa.org * Kabissa's vision is for a socially, economically, politically, and environmentally vibrant Africa, supported by a strong network of effective civil society organizations. * From brad at stop.mail-abuse.org Sat Apr 30 23:56:03 2005 From: brad at stop.mail-abuse.org (Brad Knowles) Date: Sat Apr 30 23:59:37 2005 Subject: [Mailman-Developers] Patch for Mail Archive mirroring In-Reply-To: <4945d6d882e151d8b7c8086f2eb01efe@kabissa.org> References: <200504292211.j3TMBbr29010@glin.devaudio.com> <4945d6d882e151d8b7c8086f2eb01efe@kabissa.org> Message-ID: At 2:33 PM -0400 2005-04-30, Tobias Eigen wrote: > The described patch to Mailman is very interesting, though, and I'm glad > it's been done. I haven't tried the patch, but from what I'm hearing the > issue of it appearing to endorse one or other archives can be dealt with > by making the feature customizable - i.e. have a control line where > mailman admins can configure whatever external archiver they want, with > completely configurable fields: the name/description of the archiver and > the email address to automatically add. The mail-archive and gmane > options would be included as examples but commented out. This assumes that the patch could be modified so as to be generally applicable across all external archiving systems, and the comments from Lars at Gmane have already indicated that's not possible. This is a nice idea, but I don't think it's going to be that easy. Sure, you might be able to generalize the patch to a certain degree, but there would be many hurdles. Recall the post from Jeff Marshall at 30 Apr 2005 10:37:15 -0700 where he mentioned that RFC 2369 only allows for one List-Archive: URL. > Without opening a can of worms, hopefully, let me close with one last > thought. I realize this has probably been discussed ad nauseum in other > places, but there's a bit of a flaw in all this. Email addresses can be > faked, and so an archiver based on email is going to be fraught with > problems - or at least a whole lot of spam on the archives once the > spammers figure out how it works. Anything based on e-mail is going to be vulnerable. Whether this is a mailing list, a mailing list archiving system, or anything else. > On our own system, we use Mailman's > own archiver subsystem for gatewaying messages to our Fud Forum > (http://www.fudforum.org). Another way I've tried successfully is > through the use of an email address made up of random characters that > gets delivered to Fud. That works fine, and since the list is on > Kabissa (managed by me) and the Fud is on Kabissa, the likelihood of > spammers getting in by spoofing addresses is pretty low. External mailing list archiving systems would be likely to be reasonably secure. No one else would have any reason to know what address of theirs was subscribed to the mailing list, and it would be difficult to brute-force that. Moreover, it would be easy for them to implement a greylist-style mechanism where incoming posts from the mailing list are required to be sent by one or more given IP addresses, thus securing them from most sorts of inbound spoofs to the archive, even if the subscribed address could be discovered. If you're concerned about addresses being lifted from the archive, that's also reasonably easy to secure -- mail-archive.com has one example, but there are plenty of others. Of course, spammers could always subscribe to the list and then post their spam, and viruses would be able to look in the outbox of a user's MUA and then send new messages with virus content attached to those same recipients, and either of these types of posts would be likely to get through to the recipients of the list. One way to mitigate this problem is to require approval before a subscriber is allowed to finish the process to subscribe. Another is to make users moderated by default, so that their postings require approval before they get through to the list. Of course, there are always the mechanisms that Mailman provides for doing content stripping of MIME bodypart types, and I believe that these sorts of things should be done by default. I think we've already got some pretty good tools in this area. If you wanted to go further, you could require that all subscribers post via cryptographically signed messages, but then that would be vulnerable to the virus problem where the malware takes over the user's MUA and sends out messages in their name. I guess you could always run a completely closed system, whereby people could access a webmail-type system on your servers, or use a forum-based solution on the same machines, but I think that defeats much of the purpose of a mailing list management system, which is to take content as it comes in and to distribute that out to the various recipients so that they can read that at their leisure on their own systems. There might be other anti-spam security mechanisms which you could employ, and I'd welcome hearing about them. Then there are all the system-level anti-spam mechanisms, such as greylisting, rules-based message scoring systems like SpamAssassin, fingerprint-based content reporting/detection systems such as DCC/Razor/Pyzor, and others. Of course, all of these sorts of things would be outside of the mailing list management system, and not a part of Mailman. -- Brad Knowles, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See for more info.