[Mailman-Developers] Hashing member passwords in config.pck

Fri Feb 11 05:44:34 CET 2005

I'm all for the password-less stuff, but then how do you authenticate for
members-only archives?  I've got big lists that must be members-only for the
archives.

Bob

---------- Original Message -----------
From: Tokio Kikuchi <tkikuchi at is.kochi-u.ac.jp>
To: John Dennis <jdennis at redhat.com>
Cc: mailman-developers at python.org, Barry Warsaw <barry at python.org>
Sent: Fri, 11 Feb 2005 09:29:58 +0900
Subject: Re: [Mailman-Developers] Hashing member passwords in config.pck

> Hi,
> 
> John Dennis wrote:
> 
> > My suggestion would be:
> > 
> > 1) As soon as possible post MM 2.1.6 with the security patch.
> 
> +1
> 
> > 
> > 2) Quickly follow up with MM 2.1.7 with the member passwords hashed.
> 
> I would suggest 'mailman 2.2' and introduce password-less membership.
> Most of the user operations should be done by confirmation string 
> sent by email message. Users can optionally have their passwords 
> which should be stored in hashed format.
> 
> Other 2.2 features I imagine are:
> - Languages are selectable at configure option.
> - Internal strings are unified to unicode to reduce type checking.
> - Utf-8 web pages for
> 
> > At
> > the same time I think we should implement the stronger password
> > generation suggested in this open advisory against mailman.
> > 
> > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-1143
> > 
> This has been integrated in 2.1.6 CVS.
> 
> -- 
> Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp
> http://weather.is.kochi-u.ac.jp/
> 
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com
------- End of Original Message -------