[Mailman-Users] How to turn off plain text passwords?
Jeffrey Walton
noloader at gmail.com
Wed Nov 2 10:00:57 CET 2011
On Tue, Nov 1, 2011 at 9:25 PM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Jeffrey Walton writes:
>
> > I wish these list managers would get a f**king clue and do things
> > securely.
>
> By which you mean what? What we've learned over the last 30 years is
> that when application developers try to do security, they generally
> miss something. AFAICS Mailman 2 did the right thing for its time:
> provide minimal security against idle mischief and admit that there
> was no security against hell-bent miscreants.
The best I can tell, Mailman 2 did the wrong thing. "Password
Security: A Case History", www.cs.bell-labs.com/who/dmr/passwd.ps.
Written in 1978.
> Mailman 3 is taking
> advantage of a decade of progress in security and network application
> design, and providing the hooks needed to allow admins to configure
> system security services. (This can be done with Mailman 2 as well,
> but not as smoothly.)
If Mailman 3 only provides hooks - as opposed to securely storing the
secret - then Mailman 3 has problems out of the box. In this case, it
would be no better than Mailman 2. Confer: list managers did not fix
Mailman 2 (nor did they use other software which was secure). Why
would you expect them to research and securely configure Mailman 3?
Jeff
More information about the Mailman-Users
mailing list