From gadgetsteve at live.co.uk  Sat Sep 23 22:08:24 2017
From: gadgetsteve at live.co.uk (Steve Barnes)
Date: Sun, 24 Sep 2017 02:08:24 +0000
Subject: [Security-sig] Fwd: List Settings Question
In-Reply-To: <mailman.1357.1506168540.2729.security-announce@python.org>
References: <mailman.1357.1506168540.2729.security-announce@python.org>
Message-ID: <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>

I personally was very disappointed on signing up to the both this 
mailing list & security-announce to receive back an email containing my 
password in plain text with the promise of the same thing once a month 
unless I changed settings on the mail man site..

I would have thought that a security related list could provide better 
default practices than that!

Is anybody else concerned about the idea?

Steve Barnes.




---
This email has been checked for viruses by AVG.
http://www.avg.com
-------------- next part --------------
An embedded message was scrubbed...
From: Steve Barnes <gadgetsteve at live.co.uk>
Subject: List Settings Question
Date: Sat, 23 Sep 2017 10:36:47 +0000
Size: 6681
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170924/ec8588df/attachment.mht>

From george at fischhof.hu  Mon Sep 25 16:38:07 2017
From: george at fischhof.hu (George Fischhof)
Date: Mon, 25 Sep 2017 22:38:07 +0200
Subject: [Security-sig] Fwd: List Settings Question
In-Reply-To: <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>
References: <mailman.1357.1506168540.2729.security-announce@python.org>
 <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>
Message-ID: <CAFwcP0hCZe4oJpYD43ECCu9OAMffz65XCKXXEZ+tJLOMpciVXQ@mail.gmail.com>

2017-09-24 4:08 GMT+02:00 Steve Barnes <gadgetsteve at live.co.uk>:

> I personally was very disappointed on signing up to the both this
> mailing list & security-announce to receive back an email containing my
> password in plain text with the promise of the same thing once a month
> unless I changed settings on the mail man site..
>
> I would have thought that a security related list could provide better
> default practices than that!
>
> Is anybody else concerned about the idea?
>
> Steve Barnes.
>
>
>
>
> ---
> This email has been checked for viruses by AVG.
> http://www.avg.com
>
>
> ---------- Tov?b?tott lev?l ----------
> From: Steve Barnes <gadgetsteve at live.co.uk>
> To: "security-announce at python.org" <security-announce at python.org>
> Cc:
> Bcc:
> Date: Sat, 23 Sep 2017 10:36:47 +0000
> Subject: List Settings Question
> Does anybody else on this list think that sending out the passwords as
> plain text once a month is an poor example of security to be setting?
>
> Personally I would rather not have this done with any of my passwords.
> --
> Steve (Gadget) Barnes
> Any opinions in this message are my personal opinions and do not reflect
> those of my employer.
>
> ---
> This email has been checked for viruses by AVG.
> http://www.avg.com
>
>
> _______________________________________________
> Security-SIG mailing list
> Security-SIG at python.org
> https://mail.python.org/mailman/listinfo/security-sig
>
>
+1
George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170925/74c48c73/attachment.html>

From wes.turner at gmail.com  Mon Sep 25 16:49:03 2017
From: wes.turner at gmail.com (Wes Turner)
Date: Mon, 25 Sep 2017 15:49:03 -0500
Subject: [Security-sig] Fwd: List Settings Question
In-Reply-To: <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>
References: <mailman.1357.1506168540.2729.security-announce@python.org>
 <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>
Message-ID: <CACfEFw-pxx16k4QmO9EJ20D_gASG+7aAG3aueJUjWJbD0dFkww@mail.gmail.com>

These passwords should not be recoverable; because they should be only
stored as a one-way salted hash with n rounds.

Passlib has a number of password hashing functions:

- https://passlib.readthedocs.io/en/stable/

- https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/


Is this fixed in Mailman3?

http://www.list.org/download.html

http://www.list.org/devs.html #security lists:

mailman-security at python.org

as the seclist for mailman.


Mailman 2 src:
https://launchpad.net/mailman

Mailman 3 src:
https://gitlab.com/groups/mailman



On Saturday, September 23, 2017, Steve Barnes <gadgetsteve at live.co.uk>
wrote:

> I personally was very disappointed on signing up to the both this
> mailing list & security-announce to receive back an email containing my
> password in plain text with the promise of the same thing once a month
> unless I changed settings on the mail man site..
>
> I would have thought that a security related list could provide better
> default practices than that!
>
> Is anybody else concerned about the idea?
>
> Steve Barnes.
>
>
>
>
> ---
> This email has been checked for viruses by AVG.
> http://www.avg.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170925/55ed64da/attachment-0001.html>

From barry at python.org  Mon Sep 25 17:09:02 2017
From: barry at python.org (Barry Warsaw)
Date: Mon, 25 Sep 2017 17:09:02 -0400
Subject: [Security-sig] List Settings Question
In-Reply-To: <CACfEFw-pxx16k4QmO9EJ20D_gASG+7aAG3aueJUjWJbD0dFkww@mail.gmail.com>
References: <mailman.1357.1506168540.2729.security-announce@python.org>
 <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>
 <CACfEFw-pxx16k4QmO9EJ20D_gASG+7aAG3aueJUjWJbD0dFkww@mail.gmail.com>
Message-ID: <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org>

On Sep 25, 2017, at 16:49, Wes Turner <wes.turner at gmail.com> wrote:

> Is this fixed in Mailman3?

Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth).  What passwords Mailman 3 does keep are encrypted with passlib.

Cheers,
-Barry


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170925/2548ddf0/attachment.sig>

From ncoghlan at gmail.com  Mon Sep 25 22:58:30 2017
From: ncoghlan at gmail.com (Nick Coghlan)
Date: Tue, 26 Sep 2017 12:58:30 +1000
Subject: [Security-sig] List Settings Question
In-Reply-To: <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org>
References: <mailman.1357.1506168540.2729.security-announce@python.org>
 <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>
 <CACfEFw-pxx16k4QmO9EJ20D_gASG+7aAG3aueJUjWJbD0dFkww@mail.gmail.com>
 <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org>
Message-ID: <CADiSq7c=fyBZKZFgkgTYxVX63qy3yyk2GtU6JtKhjOFpNA+JqA@mail.gmail.com>

On 26 September 2017 at 07:09, Barry Warsaw <barry at python.org> wrote:
> On Sep 25, 2017, at 16:49, Wes Turner <wes.turner at gmail.com> wrote:
>
>> Is this fixed in Mailman3?
>
> Mailman 3 does not send password reminders and barely requires passwords (although the Postorius front end may, depending on what login mechanism is used, usually django-social-auth).  What passwords Mailman 3 does keep are encrypted with passlib.

Perhaps security-sig could blaze the trail by migrating off of MM2 and
on to MM3?

Eventually migrating all of mail.python.org is going to be a mammoth
task, but it would be nice if we could at least stop digging the hole
deeper by encouraging new lists to start out on MM3, and offering a
way for list owners to request piecemeal migrations.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

From victor.stinner at gmail.com  Tue Sep 26 07:47:24 2017
From: victor.stinner at gmail.com (Victor Stinner)
Date: Tue, 26 Sep 2017 13:47:24 +0200
Subject: [Security-sig] List Settings Question
In-Reply-To: <CADiSq7c=fyBZKZFgkgTYxVX63qy3yyk2GtU6JtKhjOFpNA+JqA@mail.gmail.com>
References: <mailman.1357.1506168540.2729.security-announce@python.org>
 <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>
 <CACfEFw-pxx16k4QmO9EJ20D_gASG+7aAG3aueJUjWJbD0dFkww@mail.gmail.com>
 <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org>
 <CADiSq7c=fyBZKZFgkgTYxVX63qy3yyk2GtU6JtKhjOFpNA+JqA@mail.gmail.com>
Message-ID: <CAMpsgwYYJUGy7ComY4SKbEBspgFh22Rs-Z1EtnUrp-c1egpOgg@mail.gmail.com>

A few months, I asked postmaster for the creation of a new buildbot-status
list. It was created with mailman3.

Victor


Le 26 sept. 2017 04:58, "Nick Coghlan" <ncoghlan at gmail.com> a ?crit :

On 26 September 2017 at 07:09, Barry Warsaw <barry at python.org> wrote:
> On Sep 25, 2017, at 16:49, Wes Turner <wes.turner at gmail.com> wrote:
>
>> Is this fixed in Mailman3?
>
> Mailman 3 does not send password reminders and barely requires passwords
(although the Postorius front end may, depending on what login mechanism is
used, usually django-social-auth).  What passwords Mailman 3 does keep are
encrypted with passlib.

Perhaps security-sig could blaze the trail by migrating off of MM2 and
on to MM3?

Eventually migrating all of mail.python.org is going to be a mammoth
task, but it would be nice if we could at least stop digging the hole
deeper by encouraging new lists to start out on MM3, and offering a
way for list owners to request piecemeal migrations.

Cheers,
Nick.

--
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
_______________________________________________
Security-SIG mailing list
Security-SIG at python.org
https://mail.python.org/mailman/listinfo/security-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170926/da7628d8/attachment.html>

From barry at python.org  Tue Sep 26 10:12:21 2017
From: barry at python.org (Barry Warsaw)
Date: Tue, 26 Sep 2017 10:12:21 -0400
Subject: [Security-sig] List Settings Question
In-Reply-To: <CADiSq7c=fyBZKZFgkgTYxVX63qy3yyk2GtU6JtKhjOFpNA+JqA@mail.gmail.com>
References: <mailman.1357.1506168540.2729.security-announce@python.org>
 <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>
 <CACfEFw-pxx16k4QmO9EJ20D_gASG+7aAG3aueJUjWJbD0dFkww@mail.gmail.com>
 <21DCD1B7-802C-4DD8-96DD-3CE6FADBE197@python.org>
 <CADiSq7c=fyBZKZFgkgTYxVX63qy3yyk2GtU6JtKhjOFpNA+JqA@mail.gmail.com>
Message-ID: <190CA9A8-D485-49F5-A34C-258B156AEFB7@python.org>

On Sep 25, 2017, at 22:58, Nick Coghlan <ncoghlan at gmail.com> wrote:
> 
> Perhaps security-sig could blaze the trail by migrating off of MM2 and
> on to MM3?

I?ve made that request to postmaster at python.org, for both security-sig and security-announce.  I?ll have to chat with Mark to see if there?s a way we can actively prevent new lists from being created on the MM2 instance (and whether we should!).

-Barry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170926/e6db526a/attachment.sig>

From mark at msapiro.net  Tue Sep 26 11:57:09 2017
From: mark at msapiro.net (Mark Sapiro)
Date: Tue, 26 Sep 2017 08:57:09 -0700
Subject: [Security-sig] [Mailman-cabal]  Fwd: List Settings Question
In-Reply-To: <CACfEFw-pxx16k4QmO9EJ20D_gASG+7aAG3aueJUjWJbD0dFkww@mail.gmail.com>
References: <mailman.1357.1506168540.2729.security-announce@python.org>
 <HE1P194MB0075D85B82F0C0BDCB1B422D9B650@HE1P194MB0075.EURP194.PROD.OUTLOOK.COM>
 <CACfEFw-pxx16k4QmO9EJ20D_gASG+7aAG3aueJUjWJbD0dFkww@mail.gmail.com>
Message-ID: <b4f84e9d-157a-d121-5be8-3406d9307700@msapiro.net>

On 09/25/2017 01:49 PM, Wes Turner wrote:
> These passwords should not be recoverable; because they should be only
> stored as a one-way salted hash with n rounds.


This is a very well known issue with Mailman 2.1 and prior versions. See
<https://bugs.launchpad.net/mailman/+bug/265179>.

...
> Is this fixed in Mailman3?


Yes.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan