[Mailman-Developers] PyCon 2009 sprint: Webinterface

Patrick Ben Koetter p at state-of-mind.de
Mon Mar 23 15:55:57 CET 2009 

* Barry Warsaw <barry at list.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mar 20, 2009, at 6:22 PM, Patrick Ben Koetter wrote:
>
>> Here's the link to a wiki I've put up to get started:
>>
>>    <http://mailman.state-of-mind.de/wiki/doku.php>
>
> Hi Patrick,
>
> Do you think the Mailman wiki would be a better place for this?

Yes. It keeps everything in one place. I would have to work around the
freemind mindmap flash fancy stuff though, which I've just fallen in love
with. But let's not let this get in the way.

How do we do it? Do I get write access to Mailman wiki?


>> I will add more as I get to it. Comments, ideas, improvements are  
>> welcome.
>> The server part, for example, is completely empty at the moment...
>
> One thing we discussed at last year's sprint, is the model that the REST 
> interface will have full admin access to Mailman's data model.  I.e. it 
> will by design be fully authenticated.  The reason for this is that we'd 
> like it to act as an API that other systems can use to integrate mailing 
> list services into their systems.  For example, if you had a web site 
> running PHP that you wanted to use Mailman for your mailing lists, it 
> could use this REST API to control and query Mailman.

We've thought about different client technologies too. That's the client
technology part I wrote about in the wiki.

Which we didn't discuss was fully authenticated access for the REST server by
design. If I understand this correctly than any party that is able to
communicate with the REST server will have full admin access to Mailman's data
model. In other words: It's upon any REST client to protect the REST server
from abuse.

I feel a little uneasy not having the server control that itself unless we
find a good way to control who may connect to the server or the server is able
to identify valid clients by some client identity (ACL).


> What this means though is that when you deploy Mailman's REST interface, 
> you must take care to protect it.  You wouldn't want to expose it to the 
> internet for example.  You'd want to make sure that its interface is 
> accessibly on via your data center, or via localhost if you were running 
> a turnkey standalone system.

I was thinking of TLS client/server authentication for open networks. Not that
I have spent time yet to find out if Python (REST) tools provide such
functionality - I am sure it does, but given my low Python experience, I'd
rather verify...


> Still, this provides great advantages, such as the ability for us to  
> ship a web interface as an add on, and for sites to easily swap out the 
> web interface, or create their own ways of accessing and controlling 
> Mailman without having to write Python code (which they can do in MM2 and 
> will be able to do in MM3, though few sites apparently do this).

Same idea here.


p at rick


> So while an account/login model is necessary (e.g. for the email  
> interface), it needn't be required for accessing the REST API.
>
> Barry
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
>
> iEYEARECAAYFAknHnJYACgkQ2YZpQepbvXG61QCaAyejP3BWk8XuTVoPWUfgxwy1
> 0f8An1uI13rnc97QoLJg/gQTBvmU/WW7
> =lnPY
> -----END PGP SIGNATURE-----

-- 
state of mind
Agentur für Kommunikation, Design und Softwareentwicklung

http://www.state-of-mind.de

Franziskanerstraße 15	   Telefon +49 89 3090 4664
81669 München              Telefax +49 89 3090 4666

Amtsgericht München        Partnerschaftsregister PR 563
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20090323/3e3d50c4/attachment.pgp>

More information about the Mailman-Developers mailing list