Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 5 Apr 2008 15:59:37 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: list: members vs. read-only subscribers

On Fri, Apr 04, 2008 at 08:27:31PM -0400, Josh Bressers wrote:
> I think the way to go for this is going to be let the current members post
> without moderation, and once there is an announcement, moderate new
> members, with the option to remove the moderation flag is they prove to be
> helpful.  A semi moderated list is going to be the way to go I suspect.

On Fri, Apr 04, 2008 at 11:06:41PM -0600, Vincent Danen wrote:
> ... I don't think we need to moderate member postings.  I think we
> should do it this way:
>
> - members can post at will
> - subscribers are read-only [1]
> - non-members have posts moderated
> - membership is moderated
>
> [1] the distinction between member and subscriber is a member being
> someone who can post, and a subscriber is someone who gets it read-only

It appears that Josh and Vincent have expressed the same opinion in the
quotes above.  Unfortunately, ezmlm-idx does not have a notion of having
different types of subscribers to a list - "members who can post" vs.
"read-only subscribers".  Yet, if this is really what we want (any other
opinions?), we may be able to achieve it in one of two ways:

1. Use the "allow" list feature to specify the addresses of "full
members".  Unfortunately, in my experience the "allow" list is used for
lists that are moderated for non-subscribers only (to allow some
non-subscribers or alternate addresses of subscribers to post without
moderation), not for those that are also moderated for subscribers.
I have not looked into whether this would be easy to fix or not - but I
or someone else at Openwall can look into it if needed.  It might turn
out that the fix is trivial.

2. Setup a second list for the read-only subscribers, and subscribe that
list to the main one.

However, Vincent also wrote:

> I think maybe a moderated subscription, and unmoderated postings (for
> members, moderated non-subscriber postings mandatory) would be a good
> way to do it.

which confuses me.  Why moderate mere subscriptions if they're to be
made read-only by default?

I think that our choice is between the setup described above (with full
members and read-only subscribers) and the more common and tested setup
with full moderation (and perhaps multiple moderators to minimize delays).

With the latter, the moderators themselves will be able to post with
almost no delay by approving their own postings.  In fact, I think that
when a moderator posts, ezmlm-idx only notifies the specific moderator -
not all moderators.  So if we "promote" the most active list members to
moderators, their postings should cause no moderation requests being
sent to anyone other than themselves.

On Fri, Apr 04, 2008 at 11:12:33PM -0600, Vincent Danen wrote:
> ... I think the ml subscription can be a lot more open than wiki
> editing rights (which is a whole different ball of wax).

This is not so obvious to me.  An undesirable posting to the list will
just stay on the archives (I don't think we want to spend time on
getting such postings removed from archives, especially not from
third-party ones).  On the contrary, any damage to the wiki content is
easily and promptly undone - as you know, a few of us are receiving
e-mails on any wiki edits.

If by "ml subscription" you meant the read-only and/or message-moderated
subscriptions, then I agree - those should be open to anyone.  In fact,
non-subscribers should also be able to post, subject to moderation - at
least because it is common for subscribers to post from other addresses
occasionally.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.