Re: [Mailman-Developers] The Approved: header in MM3
Barry Warsaw schrieb: > 4. Add a new shared password just for this purpose. [...] I'd prefer that. > 1. We can drop the concept altogether. This means there'd be no way > to post a message as coming from an approved source, with a bypass of > the posting filters. That would be bad, I think. It's not uncommon to send mails from "on the road"; in that case you want to "send and forget" the mail without having to visit a website to approve it afterwards. And you may want to send pre-approved mails that are automatically generated. > Maybe because few people have MUAs that support > adding custom headers, this feature just isn't used much in the real > world these days. But you can add a Approved-line in the body, too. -thh ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
Re: [Mailman-Developers] Improving the archives
--On 2 October 2007 22:47:35 -0400 Barry Warsaw <[EMAIL PROTECTED]> wrote: > One question: should the angle brackets on the Message-ID be part of > the hash or not? I think they should, or IOW, the entire value of > the Message-ID header is taken as the hash, though they should be > stripped off if using the Message-ID in any kind of archive query. > I'm open to suggestions though... comments? Mathematically, the two solutions are equivalent for valid headers, aren't they? OK, the hashes will be different, but only in a trivial sense. Technically, I imagine, it's going to be easier to handle bogus headers if you just hash the entire header. For example, what do you do if some piece of crapware gives you a message with a header missing the angle brackets? Or that adds something outside angle brackets? Or that includes a right-angle bracket in the message-id itself? You don't have to think about any of those situations if you either (A) reject the message or (B) encode the entire header. -- Ian Eiloart IT Services, University of Sussex x3148 ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
Re: [Mailman-Developers] The Approved: header in MM3
On 10/3/07, Ian Eiloart <[EMAIL PROTECTED]> wrote: > > 1. We can drop the concept altogether. > > Sounds reasonable to me. I've used it before as a site admin to mail lists saying that the list will be closed for whatever reason (since it supports using the site password to approve stuff). Personally, I think a combination of 2, 3 & 4 - each user can set a GPG/etc key or a password they use for approving messages. Then MM would check the signature and or the Approved psuedo/header against the key/pass of the users who have high enough privileges (site admins, site staff, list admins, list moderators, etc). -- bye, pabs http://wiki.debian.org/PaulWise http://docs.indymedia.org/view/Main/PaulWise ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
Re: [Mailman-Developers] The Approved: header in MM3
--On 2 October 2007 23:07:37 -0400 Barry Warsaw <[EMAIL PROTECTED]> wrote: > > 1. We can drop the concept altogether. This means there'd be no way > to post a message as coming from an approved source, with a bypass of > the posting filters. Maybe because few people have MUAs that support > adding custom headers, this feature just isn't used much in the real > world these days. You'd still have the moderation bit for announce- > only lists though. Sounds reasonable to me. I don't use this feature, and I don't think we've documented it for our users. I don't even recall being aware of it before. > 2. Replace the concept with some other email authentication > mechanism, e.g. something more secure like a signature check. The > problem with this is that I still don't think message signing is > common practice outside our small community of geeks. No, but it could be useful for some. I doubt that this is urgent though. > 3. Allow an owner or moderator to use their own password in the > Approved header. I'm not crazy about this because it has to be sent > in the clear and if (when?) it gets compromised, their account is > compromised, and this includes their administration of the mailing list. No, no, no. Or, at least let me disable it for my site. We're likely to want local people to authenticate with passwords that are shared with services other than Mailman. I think this proposal would be very dangerous in any corporate or educational site. > 4. Add a new shared password just for this purpose. You'd still have > to communicate it to all your moderators, probably via the web page, > but at least this password wouldn't have any other purpose so if > (when?) it gets compromised, the only asset it protects is approved > postings. Bad yes, if a spammer gets it, but easily changed and > hopefully fairly limited in the damage it can do. Erm, no thanks. We really are looking forward to being able to identify our Mailman admins! > 5. Your suggestion. > > Comments? I think my preference would be for #1 with future support > for #2 and just accepting the fact that message signatures are for > power users. Maybe that set is pretty close to the set of people > currently using Approved anyway. I agree. -- Ian Eiloart IT Services, University of Sussex x3148 ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
