[ML-General] Anyone else having trouble changing their Mailman settings?

Hunter Fuller hfuller at pixilic.com
Mon May 9 13:10:38 CDT 2016


On Mon, May 9, 2016 at 10:15 AM, WebDawg <webdawg at gmail.com> wrote:
> I hope this is not too off topic, I just felt I needed to respond to this.

I'd say it's directly on topic. :)

> Not meant to offend but it is always funny to read when someone
> brushes off X level of security.  You state "this is all they could do
> with the password" but statements like this never think about the next
> exploit.

I'm not one to brush off security, usually, but I legitimately can't
think of anything else one could do with this . . . even with an
exploit. All that box has access to is the mailing lists.

> A lot of people use different passwords for all of their accounts, but
> most people are too lazy to do something like this.
>
> I access the mailman list through some exploit, then I have X amount
> of email / pw combos.

Now, this is a good point. I had kind of forgotten that mailman does
not ALWAYS generate a password for you - you can provide one when you
subscribe. I always let mailman generate my passwords and so I don't
care if anyone finds them... but I just noticed that it is possible to
provide one. This makes me somewhat more worried than I was before.

I'll consider disabling the ability to provide a password, as well as
expiring everyone's passwords, as no one logs into mailman anyway ;)

> The conversation should be to secure all the things!

I agree, and the constraint is definitely one of administrative burden
rather than of ideological disagreement with what you're saying.

> I hope this does not seem like a rant or philosophic insanity.

No, usually I am the one ranting, so it doesn't seem insane to me ;)

--
Hunter Fuller



More information about the general mailing list