[Mailman-Developers] MM3 - Using fqdn in the exposed URLs

[Stephen J. Turnbull]

Richard Wackerbarth writes:

 > The current design of the Postorius and Hyperkitty web interfaces
 > to the mailing list and its archives uses the fully qualified list
 > submission email address as a component of the URLs presented to
 > the public.
 > 
 > I fear that doing this will create an even greater invitation to
 > those who harvest email addresses for the purpose of spamming and
 > other nefarious reasons.

I think this is overblown.  These email addresses are almost certainly
easily available to spammers in other ways if they're going to be
visible to the public in the web interfaces.  (Consider List-Post, for
example.)  If we're going to be paranoid about this, we should also
refuse to subscribe users with Microsoft browsers and MUAs on the
grounds that they're far more likely to have their address books
stolen. :-)

OTOH, a lot of people do worry about this.  We should definitely
consider getting those addresses out of the URLs to make it easier for
the security-with-obscurity crowd to lock down their sites for any
reason they choose.

 > I think that we should rethink this decision and follow a "slug"
 > approach to the identification of the mailing lists in URLs. Those
 > who choose to do so can use the fqdn as their slug. But others
 > would be able to readily change the mapping without having to
 > rewrite significant parts of the interface code.

+1

It might be worth reviewing all the uses of URLs to see which ones can
be dispensed with (ie, have such "slugs" substituted), and which ones
are essential to functioning of Mailman (eg, List-Post, which may be
suppressed at list-owner option, but if not, must contain the posting
address).