[Mailman-Users] a few questions about the NNTP gateway

Tue Aug 7 09:20:36 CEST 2007

On 8/7/07, Manlio Perillo wrote:

>  Well, having a pre-built packages systems has also some benefits.

True enough, and where it makes sense we do make wide use of binary 
packages for other things on the system.

>  The Debian Secutiry team still supports Debian Sarge.
>  And in theory, if a security problem is found in an upstream package,
>  the fix should be back ported on the Debian package.

The crux of that problem is the "... in theory ..." part.

In practice, we know that they make a lot of modifications that they 
don't share with us (for whatever reason), and because of all of the 
internal code changes, we can't be sure that when we fix a bug in our 
code that they fix the same bug in theirs, or that they don't create 
other bugs that we don't have.

Also, we know that they tend to be slow to update, and they tend to 
limit the stuff they back-port.

So, for critical stuff, I strongly believe that you really do want to 
run from the source tarballs themselves.

>  Well, the question of email in clear was raised by an
>  it.comp.lang.python newsgroup user.
>  And on this newsgroup, many of us do not use their real email address.

If you're used to address obfuscation, then you probably don't know 
how many news servers out there that are silently throwing away your 
articles.  And you probably do care more about the address 
obfuscation than getting your articles to the widest possible 
audience.

However, as a system administrator who would be supporting a 
reasonably large group of people, the problem you've got is that what 
particular individuals think is good for them is not necessarily good 
for the group as a whole, and may not even be good for the particular 
individuals who don't know any better.

You will need to choose where to balance the expectations and 
benefits of single individuals against those of the group, and you 
will also have to take into account the capabilities of the software.

One thing to keep in mind is that e-mail users generally assume that 
the addresses will not be obfuscated, and so if they start seeing 
obfuscated addresses then they are likely to be confused -- 
especially if they try to reply to that person directly.  So, they 
may have a benefit by having their e-mail addresses obfuscated when 
the cross the gateway, but they don't generally have an expectation 
that the gateway would do this for them.  Overall, obfuscated 
addresses for e-mail users are a bad thing.

In the case of USENET users, they may well be used to the address 
obfuscation of their choice, and they shouldn't be too surprised to 
see some users whose addresses are not obfuscated.  However, you may 
not be able to re-generate a valid e-mail address for them based on 
their obfuscation scheme, so it's going to be difficult to 
un-scramble that egg.  Overall, obfuscated addresses for USENET users 
may somewhat reduce their spam load, but these days spammers have 
multiple address snarfing techniques, so any obfuscation that is done 
is likely to be of minimal real benefit, although they may perceive a 
much larger benefit than is actually achieved.

When you mix these communities via a gateway, you get some 
interesting problems where the expectations of one group conflict 
with the expectations of the other.  And I'm not sure that anyone 
here can give you any hard rules to follow in such cases.

-- 
Brad Knowles <brad at shub-internet.org>, Consultant & Author
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
Slides from Invited Talks: <http://tinyurl.com/tj6q4>

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0