[Mailman-Developers] Hashing member passwords in config.pck
John W. Baxter
jwblist at olympus.net
Fri Feb 11 20:10:39 CET 2005
I used to be careful about saving my passwords for all the lists [Mailman*]
I am subscribed to. I no longer bother...I request the mail out of the
password if I need it (very rare).
If the situation becomes a choice of
1. mail out the password becomes generate a new time-limited password and
mail that
Or
2. do away with passwords and have everything validated via a mailed-out
URL
I think I as a user would prefer 2. As a list owner, ANY change causes
queries and unhappiness among the ranks of the subscribers. And as site
administrator, I would have to coordinate removal of passwords or even the
"new time-limited password" idea with our main list owner, who has her own
scripting to hide the passwords from the subscribers (who don't do things
via the Mailman web pages).
I concur with the idea of getting the simple patch out for the CAN-2005-0202
problem quickly in 2.1.6 and getting the password removal/changes into a
2.1.7 [or 2.2 as has also been suggested] (pretty soon and with very little
if anything else).
We shouldn't assume MySQL as the SQL server; we shouldn't assume LDAP as the
password database. Here, we're phasing out MySQL in favor of PostgreSQL for
licensing reasons, and trying to phase out LDAP in favor of SQL for
stability reasons. But we can't make those decisions for others, of course.
Bigger stuff I think has to wait for Mailman 3...this would include password
databases, subscriber databases site wide, etc.
--John (who for medical reasons can't be of any help, but must continue
cheering from the sidelines. Sorry!)
On 2/10/2005 10:55, "Chuq Von Rospach" <chuqui at plaidworks.com> wrote:
> this might not be a bad idea, but -- would require all operations to be
> validated via a URL emailed to the affected address. But I could live
> with that.
>
>
> On Feb 10, 2005, at 10:44 AM, Adrian Bye wrote:
>
>> Getting rid of passwords would open up mailman to usage to a much
>> wider range of
>> users, which should mean more development resources and interest.
More information about the Mailman-Developers
mailing list