Hi John,
Your message was just the same as I had in mind. (Sorry that I am not good at wirting in english.)
John W. Baxter wrote:
I used to be careful about saving my passwords for all the lists [Mailman*] I am subscribed to. I no longer bother...I request the mail out of the password if I need it (very rare).
If the situation becomes a choice of 1. mail out the password becomes generate a new time-limited password and mail that Or 2. do away with passwords and have everything validated via a mailed-out URL
I think I as a user would prefer 2.
I have been looking through the code and feel like doing away with passwords totally may be a bad idea because people may want to keep his password when changing their email addresses.
1. If user authentication is requied and not qualified by cookie, a login web page is sent. User can either enter his password or request a URL to be emailed out.
2. User can set his 'permanent' password in his option page.
3. User can set his cookie life time for later convenience. (May be when requesting the URL in 1.)
4. Password is reset every time a user request the URL or his password sent.
It will take weeks for me to implement these in current code so...
I concur with the idea of getting the simple patch out for the CAN-2005-0202 problem quickly in 2.1.6 and getting the password removal/changes into a 2.1.7 [or 2.2 as has also been suggested] (pretty soon and with very little if anything else).
--John (who for medical reasons can't be of any help, but must continue cheering from the sidelines. Sorry!)
Take care.
-- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
