[OSM-talk] Mailing list security

Colin Smale colin.smale at xs4all.nl
Sat Nov 25 17:36:18 UTC 2017


On 2017-11-25 17:59, Frederik Ramm wrote:

> Hi,
> 
> On 11/25/2017 11:12 AM, Colin Smale wrote: 
> 
>> I just got an email from the mailing list system that my
>> account/membership had been disabled due to "excessive bounces". I have
>> no idea why, but that is not the point I want to make here. My point is
>> that the email I received contained my password to that account, in
>> plain text!
> 
> Why don't we simply nuke all mailman passwords, they're not needed
> anyway. (All the lists I signed up for, I can't remember, either I
> didn't set a password, or Mailman assigned a random one, so it never
> occurred to me that there was anything to protect.)

Might not be a bad idea... System-generated passwords are at least
limited to that one system, and indeed, the worst that can happen is
likely to be that someone cancels your mailing list subscription. The
problem is that people, being human, might use their "usual" password
for multiple sites (despite warnings against this). If mailman is hacked
into revealing the passwords, some of them might be user-entered and may
provide access to other sites as well.... 

I expect OSM has some kind of "duty of care". If one is allowed to
choose one's own password, the operators need to take reasonable care to
prevent disclosure, and I don't expect a one-time warning would be
sufficient... but IANAL....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20171125/5f108884/attachment.html>


More information about the talk mailing list