[Mailman-Developers] PyCon 2009 sprint: Webinterface

Barry Warsaw barry at list.org
Tue Mar 24 00:48:16 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mar 23, 2009, at 10:55 AM, Patrick Ben Koetter wrote:

> Yes. It keeps everything in one place. I would have to work around the
> freemind mindmap flash fancy stuff though, which I've just fallen in  
> love
> with. But let's not let this get in the way.
>
> How do we do it? Do I get write access to Mailman wiki?

You should have write access just by virtue of having an account on  
the wiki.  There are only a few pages that aren't generally writable  
by every logged in user.  If you're having a problem with a specific  
page, let me know.

> We've thought about different client technologies too. That's the  
> client
> technology part I wrote about in the wiki.
>
> Which we didn't discuss was fully authenticated access for the REST  
> server by
> design. If I understand this correctly than any party that is able to
> communicate with the REST server will have full admin access to  
> Mailman's data
> model. In other words: It's upon any REST client to protect the REST  
> server
> from abuse.

That's basically correct.

> I feel a little uneasy not having the server control that itself  
> unless we
> find a good way to control who may connect to the server or the  
> server is able
> to identify valid clients by some client identity (ACL).

It depends on whether we view the REST API as a user feature or an  
admin interface.  I've always thought about it as the latter, but I'm  
open to other opinions.  OTOH, I think there's a lot of functionality  
that a privileged process could need, that the general public won't  
need at all.  Another way to think about it is that there doesn't need  
to be just one REST API.

>> What this means though is that when you deploy Mailman's REST  
>> interface,
>> you must take care to protect it.  You wouldn't want to expose it  
>> to the
>> internet for example.  You'd want to make sure that its interface is
>> accessibly on via your data center, or via localhost if you were  
>> running
>> a turnkey standalone system.
>
> I was thinking of TLS client/server authentication for open  
> networks. Not that
> I have spent time yet to find out if Python (REST) tools provide such
> functionality - I am sure it does, but given my low Python  
> experience, I'd
> rather verify...

I'm not sure about this either.
Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAknIH8AACgkQ2YZpQepbvXHdPACeOlFuUp985yiVMpDqcMUEjIyc
3rcAoJukYnubROsC9yK1SMt6KV7yjFBk
=yOAo
-----END PGP SIGNATURE-----

More information about the Mailman-Developers mailing list