[Mailman-Users] Re: mailman v2.x
On Sat, 19 Sep 2020 at 13:07, Mark Sapiro wrote: > >> I'm pretty sure that at least for now I[1] can configure a system to > >> run Mailman 2 so that none of the above matters (eg, have the web > >> server and MTA speak TLS so that Mailman doesn't have to), but I'm not > >> confident that will last for very long. > >> > > > > I'm pretty sure that's pure FUD. I'm not the expert on mailman that most > > of you are, but I can think of no reason for mailman itself to ever speak > > HTTP or SMTP, and therefore no reason for it to need to do TLS. I'd be > > very surprised at anyone running a mailman setup where there wasn't a web > > server and an MTA sitting between mailman and the rest of the Internet. > Am > > I wrong about that? > > > I think that was exactly Steve's point. > Then why say that he's not confident he'll be able to keep MM2 from speaking TLS for long? Why is he only "pretty sure" that he can configure mm2 in such a way that it doesn't need to speak TLS? Those statements make no sense to me, and are the reason I called this email out as FUD. > Does mailman even include its own web server? I didn't think it did. > > No, it doesn't. It does however do SMTP to an MTA that isn't necessarily > on localhost, so TLS can be an issue there. > Okay, so it's possible to set up so that it needs to speak TLS, but by no means is there any event approaching that's going to make that necessary. -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: mailman v2.x
On 9/19/2020 11:50 AM, Matthew Pounsett wrote: I'm pretty sure that's pure FUD. I'm not the expert on mailman that most of you are, but I can think of no reason for mailman itself to ever speak HTTP or SMTP, and therefore no reason for it to need to do TLS. I'd be very surprised at anyone running a mailman setup where there wasn't a web server and an MTA sitting between mailman and the rest of the Internet. Am I wrong about that? IMO a lot of this crap comes from the Knee-Jerk Security Department fueled by Google's "our data collection is secure by default" PR. It is for many practical purposes FUD but since the huge scary "Insecurity! Run! Run Away!" dialog box is now built into every client app and most users don't know any better, we're SOL. This is why the "I won't ever need any new features in MM2" stance is not realistic: *I* may not, but it's not up to me. Dima -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: mailman v2.x
On 9/19/20 9:50 AM, Matthew Pounsett wrote: > I'm probably going to regret getting involved in this conversation, but ... > > On Sat, 19 Sep 2020 at 08:48, Stephen J. Turnbull < > turnbull.stephen...@u.tsukuba.ac.jp> wrote: > >> I'm pretty sure that at least for now I[1] can configure a system to >> run Mailman 2 so that none of the above matters (eg, have the web >> server and MTA speak TLS so that Mailman doesn't have to), but I'm not >> confident that will last for very long. >> > > I'm pretty sure that's pure FUD. I'm not the expert on mailman that most > of you are, but I can think of no reason for mailman itself to ever speak > HTTP or SMTP, and therefore no reason for it to need to do TLS. I'd be > very surprised at anyone running a mailman setup where there wasn't a web > server and an MTA sitting between mailman and the rest of the Internet. Am > I wrong about that? I think that was exactly Steve's point. > Does mailman even include its own web server? I didn't think it did. No, it doesn't. It does however do SMTP to an MTA that isn't necessarily on localhost, so TLS can be an issue there. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: mailman v2.x
I'm probably going to regret getting involved in this conversation, but ... On Sat, 19 Sep 2020 at 08:48, Stephen J. Turnbull < turnbull.stephen...@u.tsukuba.ac.jp> wrote: > I'm pretty sure that at least for now I[1] can configure a system to > run Mailman 2 so that none of the above matters (eg, have the web > server and MTA speak TLS so that Mailman doesn't have to), but I'm not > confident that will last for very long. > I'm pretty sure that's pure FUD. I'm not the expert on mailman that most of you are, but I can think of no reason for mailman itself to ever speak HTTP or SMTP, and therefore no reason for it to need to do TLS. I'd be very surprised at anyone running a mailman setup where there wasn't a web server and an MTA sitting between mailman and the rest of the Internet. Am I wrong about that? Does mailman even include its own web server? I didn't think it did. -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: mailman v2.x
Christian F Buser via Mailman-Users writes: > I am in no way a programmer - but as I understand it, Python 2 can > live alongside Python 3 without any problems. True. > The EOL declaration for Python 2 does NOT mean that Python 2 will > stop working on the date the publishers announced. There will just > be no improvements. And as long as there are no obvious security > holes in Python 2, it is absolutely not necessary to retire it on > any machine. As far as I know there are already obvious security holes in Python 2 if you need to use TLS, especially on Mac. Python 2 is not up to current security recommendations with respect to SSL and TLS versions, and I suspect not with respect to other basic crypto. I don't think it's hard to configure those version exclusions, but it doesn't come out of the box that way. And on Mac you've got the mess that is an Apple-specific TLS API that Python doesn't have a wrapper for last I heard (it uses an bundled version of OpenSSL instead if you configure it to support TLS). I'm pretty sure that at least for now I[1] can configure a system to run Mailman 2 so that none of the above matters (eg, have the web server and MTA speak TLS so that Mailman doesn't have to), but I'm not confident that will last for very long. Footnotes: [1] Or any reasonably up-to-date sysadmin. -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: mailman v2.x
Matthew Pounsett writes: > If someone was going to undertake a rewrite of Postorius, using a > different web development framework (e.g. Flask, but pretty much > anything that isn't Django) would at least remove one major moving > part from the install process. Rewrites of Postorius or HyperKitty to use a different web framework in the near or medium term are extremely unlikely, at least by the core team. And of course if you want to actually get rid of Django you have to do both. HyperKitty and Postorius between them do use a lot of Django functionality: the ORM, the social authentication module, the templating, sass, and so on. I don't know how much of that is easily implemented with Flask or other "lightweight" frameworks plus easily plugged-in modules, and how much is going to be a lot of do-it-yourself work. I'm not saying "don't do it", but it's not obvious to me that you'll really buy that much simplicity for anybody without (to me, anyway) prohibitive amounts of effort. Note that both Barry and Brian opted for rearchitecture as well as complete rewrites of functionality common to the existing and new versions. There's good reason for that! -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
