<br><div class="gmail_quote">On Sat, Dec 1, 2012 at 11:14 AM, Alex Mandel <span dir="ltr"><<a href="mailto:tech_dev@wildintellect.com" target="_blank">tech_dev@wildintellect.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have not seen such a request before. I will note that the behavior is<br>
the same for every mailman list I'm subscribed to on the web. I don't<br>
think mailing list preference passwords are typically considered secure.<br>
<br>
That said, it's not a bad idea to research options to make it more secure.<br>
<br>
Quick search says, we should simply disable the monthly reminders.<br>
Supposedly updates to mailman years ago should have moved to hashed<br>
passwords and not auto-mailing them, but I don't see any evidence that<br>
those patches were ever released.<br></blockquote><div><br>It may be good policy to universally disable this. <br><br>Right now the user already has complete control and can make their own decisions.<br><br>Copied from logging into an OSGeo list:<br>
<br><table border="0" cellpadding="4" cellspacing="3" width="100%"><tbody><tr><td bgcolor="#cccccc"><strong>Get password reminder email for this list?</strong><p>
Once a month, you will get an email containing a password
reminder for every list at this host to which you are
subscribed. You can turn this off on a per-list basis by
selecting <em>No</em> for this option. If you turn off
password reminders for all the lists you are subscribed to, no
reminder email will be sent to you.
</p></td><td bgcolor="#cccccc">
<input name="remind" value="1" type="radio">No<br>
<input name="remind" value="0" checked type="radio">Yes<p>
<input name="remind-globally" value="1" type="CHECKBOX"><i>Set globally</i>
</p></td></tr></tbody></table><br>Is this thread about universally establishing good policy for all users or helping 1 user change their settings to how they like them?<br><br>Eli<br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Thanks,<br>
Alex<br>
<div class="HOEnZb"><div class="h5"><br>
On 12/01/2012 10:07 AM, Paul Ramsey wrote:<br>
> Do you guys get a lot of these? This is just mailman being mailman,<br>
> but it's the second irate "you have a security problem" mail I've<br>
> gotten in just a couple months.<br>
> p<br>
><br>
><br>
><br>
><br>
> I just got a "reminder" email from <a href="mailto:mailman-owner@lists.osgeo.org">mailman-owner@lists.osgeo.org</a> about<br>
> my subscription information. You are listed on the website as the<br>
> maintainer. The reminder e-mail contains my e-mail address and<br>
> listserv password sent in clear text. It even contains the word<br>
> "password" which is one of the first things a packet sniffing cracker<br>
> would filter on. This is clearly a security issue. Please fix this.<br>
> _______________________________________________<br>
> Sac mailing list<br>
> <a href="mailto:Sac@lists.osgeo.org">Sac@lists.osgeo.org</a><br>
> <a href="http://lists.osgeo.org/mailman/listinfo/sac" target="_blank">http://lists.osgeo.org/mailman/listinfo/sac</a><br>
><br>
<br>
_______________________________________________<br>
Sac mailing list<br>
<a href="mailto:Sac@lists.osgeo.org">Sac@lists.osgeo.org</a><br>
<a href="http://lists.osgeo.org/mailman/listinfo/sac" target="_blank">http://lists.osgeo.org/mailman/listinfo/sac</a><br>
</div></div></blockquote></div><br>