Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 17 Feb 2008 02:17:25 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: welcome

Hi Jonathan,

Thank you for sharing your thoughts with the rest of us.

On Fri, Feb 15, 2008 at 09:10:16PM -0900, Jonathan Smith wrote:
> One nitpick before we get too established... would it be possible to
> turn off reply-to-list? That is what "reply to all" is for in mail
> clients :-)

Yes, I can easily change this setting, but I like it the way it is now -
and I suspect that many (most?) other list members do as well.  I find
that having Reply-To on discussion lists pointing to the list address
helps ensure that discussions don't unnecessarily go off-list and that
list members are not unnecessarily CC'ed on responses.  (I realize that
some actually prefer to be CC'ed because of the way their mail readers
are configured.)  If/when we start getting a lot of desirable postings
from non-members, we may change this setting to make it easier to CC
such non-members on responses.

If anyone else has an opinion on this matter (regarding this specific
list indeed), please speak up.

> I'm not sure if this is possible, but I'd like to see read-only
> subscriptions. That is, folks can "subscribe" and get the list via email
> without having to be approved to post to the list. See below for more
> discussion on this isssue.

The easiest way to achieve this, without patching the code, is to create
a second ezmlm-idx list with announcement-only settings and subscribe it
to this list.

But I am not sure if having a completely read-only list is any better
than having message pre-moderation.  The difference is in what happens
to posting attempts from non-pre-approved addresses.  Do we want such
messages bounced or submitted to a moderator?

> My hope is that we can get "upstream" maintainers involved at least to
> some extent in this project. That is, when some {f{,l}}oss (I guess for
> this list we're going with "oss") project encounters a security issue,
> they'll come to either oss-security or vendor-sec and communicate with
> the folks who consume their work. I hope this to be true whether or not
> they are actually on the list.

Right.  So perhaps postings by non-members need to be pre-moderated
rather than rejected right away.  If we do that, then it is illogical to
reject posting attempts by read-only members right away.

> So, what we'll really have are three classes of users. One is the folks
> who read the list and don't have the ability to post. Joining this group
> should require no administrative action, and it should be open to the
> public. The second is folks who can post but aren't members. I'd add
> upstream authors to this list on a case-by-case basis. The third is
> folks who read it and can post, such as (I'd imagine) many current
> vendor-sec members. These folks need to be vetted on a case-by-case
> basis as well.

Oh, so you'd like some non-member addresses being permitted to post
without pre-moderation (and the associated delay)?  Yes, this is supported.

> Can the software currently being used to host the list be
> configured for the above?

Yes, it can - with the caveat that the read-only access will be via a
second list.

If we choose to allow the "read-only" members right onto this list, but
have message moderation turned on even for list members, then there's an
implementation issue to be dealt with: in my experience, ezmlm-idx fails
to honor its "allow" list (addresses that can post bypassing moderation)
once message moderation is enabled even for list members.

Anyway, I think it's too early to discuss this in that much detail.  If
we get to the point where undesirable postings are a real issue, we will
hopefully have enough desirable postings as well to justify the effort
on re-configuring the list or even fixing the ezmlm-idx issue I've
mentioned above.

Thanks again,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.