Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 9 Apr 2008 19:14:17 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: list: members vs. read-only subscribers

* [2008-04-07 13:35:53 -0400] Josh Bressers wrote:

>> It appears that Josh and Vincent have expressed the same opinion in the
>> quotes above.  Unfortunately, ezmlm-idx does not have a notion of having
>> different types of subscribers to a list - "members who can post" vs.
>> "read-only subscribers".  Yet, if this is really what we want (any other
>> opinions?), we may be able to achieve it in one of two ways:
>> 
>> 1. Use the "allow" list feature to specify the addresses of "full
>> members".  Unfortunately, in my experience the "allow" list is used for
>> lists that are moderated for non-subscribers only (to allow some
>> non-subscribers or alternate addresses of subscribers to post without
>> moderation), not for those that are also moderated for subscribers.
>> I have not looked into whether this would be easy to fix or not - but I
>> or someone else at Openwall can look into it if needed.  It might turn
>> out that the fix is trivial.
>> 
>> 2. Setup a second list for the read-only subscribers, and subscribe that
>> list to the main one.
>> 
>
>Here is my proposal, technical issues aside (we are smart people, we'll
>figure something out).
>
>* The current member list can post unmoderated
>* New subscribers (anyone can subscribe) will be moderated by default, but
>  can have the moderation flag lifted when the prove to be useful
>  contributors (we need to define what a useful contributor is)
>* Non members can post, but will be moderated (if spam is an issue, we
>  could consider just throwing this stuff out, but I'd really like to avoid
>  it if possible)

This works for me.

>I think that this should appear as one list to the end user.  If we end up
>using some bizarre solution with multiple lists to work around the
>ezmlm-idx shortcomings, we need to ensure that this is not obvious to the
>end users.  Users should be able to hit reply and the right thing just
>happens.

I agree.  My solution was perhaps a little too convoluted and/or
paranoid... take your pick.  =)

>For the wiki, I'd say just make it a free for all.  If they take the time
>to create an account, let them make changes, we'll keep an eye on what gets
>modified.  We can deal with spam if it becomes a problem.

I can deal with this too.  There's, what, a half-dozen of us that are
getting notices of changes to the wiki so any problems should be picked
up and corrected pretty quickly.

>If you don't like this, speak up now, otherwise, I think it would make
>sense to find a solution that fits this model.

It's fine with me, and I see Solar is ok with it as well so I say do it
(I don't see anyone else having spoken up one way or the other, and it's
taken me a few days to get to this... release week always causes time
shortages).

-- 
Vincent Danen @ http://linsec.ca/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.