Abhilash Raj writes: > 90% of the time is spent trying to encrypt user passwords, for each > of the imported member. Well, duh, encryption is an expensive > operation and when you do that once per-imported member, it is > definitely going to be slow.
Why are we storing unencrypted passwords at all? Passwords are pretty low-security in any case, but this is asking for trouble. > Although, another interesting fact is the user passwords are kind > of useless in Mailman 3. In Mailman 2 you had to setup a password > or one was auto-generated for you per-list and you needed that to > login to the web ui. However, in Mailman 3, the passwords (in > Core's database) aren't used for logging in since Web Frontend > stores the authentication tokens (social auth or passwords). In > fact, the users who sign up first time on Mailman 3 probably don't > ever have a password set in Mailman Core's database. I'll trust you on that. Although it suggests the question, if nobody has a password, why does it take so much time to encrypt no passwords? > So, I commented out the code that actually imports the > password(src/mailman/utilities/importer.py#L663-664) I'm happy with this. This is a major breaking change *if* anyone is using core passwords which they probably aren't, but it deserves flashing lights and sirens in the release announcements. Steve -- Associate Professor Division of Policy and Planning Science http://turnbull.sk.tsukuba.ac.jp/ Faculty of Systems and Information Email: turnb...@sk.tsukuba.ac.jp University of Tsukuba Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN _______________________________________________ Mailman-Developers mailing list -- mailman-developers@python.org To unsubscribe send an email to mailman-developers-le...@python.org https://mail.python.org/mailman3/lists/mailman-developers.python.org/ Mailman FAQ: https://wiki.list.org/x/AgA3 Security Policy: https://wiki.list.org/x/QIA9
