[OSM-talk] Mailing list security
Éric Gillet
gill3t.3ric+osm at gmail.com
Sat Nov 25 15:04:45 UTC 2017
Hmm it seams released in April 2015, but anyway it's been some time since
the release.
It's not mentionned in the Operations issue tracker
<https://github.com/openstreetmap/operations/issues>, maybe you could open
an issue there to suggest upgrading to mailman 3.
But it seems to be a rewrite of mailman, so it may be not trivial to
migrate to this version.
Another point : This password is not secure, but what the worst that could
happen with it ? As long as one don't reuse it on other applications (as
warned during registration), the only action an attacker could do would be
to unsubscribe you. Not really catastrophic
2017-11-25 12:55 GMT+01:00 Colin Smale <colin.smale at xs4all.nl>:
> On 2017-11-25 11:53, Éric Gillet wrote:
>
> This is non-ideal, but you were warned during your account creation that
> this password is to be considered non-secure :
>
> > You may enter a privacy password below. This provides only mild
> security, but should prevent others from messing with your subscription. Do
> not use a valuable password as it will occasionally be emailed back to you
> in cleartext.
>
>
> Thanks Éric, I admit that "I was warned" but I still find it scandalous in
> this day and age... It seems this shortcoming in mailman was fixed in V3,
> released in 2014. I read here that V3 no longer stores
> unencrypted/decryptable passwords:
>
> https://mail.python.org/pipermail/mailman-users/2014-July/077411.html
>
> Are we still running V2.1?
>
> //colin
>
> _______________________________________________
> talk mailing list
> talk at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20171125/1ec6552c/attachment.html>
More information about the talk
mailing list