[Bf-committers] Plaintext password in membership reminder

Dan McGrath danmcgrath.ca at gmail.com
Tue Jun 5 05:13:08 CEST 2018


This will simply stop you from receiving the plain text password. As I have
mentioned several times in private mails, the version of Mailman that we
use is not capable of hashing passwords (at least out of the box, iirc).
The upcoming version 3 was an overhaul which should address this problem.
That said, it is clearly stated when you subscribe to the list that you
should not use an important password as it will be mailed back to you etc.

My advice is to generate a simple unique password, and set your mail
preferences to not email them back to you, as well as to change your
password if this all comes as a surprise to you. Also, to sign your emails
with GPG/GNUPG if you require accountability and are concerned that someone
sniffed your password from your email. But we do sent and receive mail via
TLS, when possible, so the odds of the mail being intercepted and sniffed
are relatively low.

I hope this helps! I believe that mailman 3 is finally in the ports tree,
but when we will actually use it, who knows.



More information about the Bf-committers mailing list