Mark> The answer is to use strong passwords, and if you are really
Mark> concerned, don't advertise any lists and remove Mailman's
Mark> cgi-bin/create wrapper so lists can't be created from the web, or
Mark> alternatively just don't set site admin or list creator passwords
Mark> or remove data/adm.pw and data/creator.pw to remove those set
Mark> previously.
I suspect the default should be to not expose those things. I wasn't even
aware that list creation through the web was possible. Based on the
extremely novice questions I see posted to mailman-users on occasion I
suspect many potential Mailman admins are unaware of this as well. I fear
those admins are also the ones most likely to not create strong passwords.
Maybe all that's necessary is to install cgi-bin/create as
cgi-bin/create.disabled by default, set its permissions to not allow
execution and add a note to the installation docs about the consequences of
through-the-web list creation and how to set it up.
Skip
_______________________________________________
Mailman-Developers mailing list
Mailman-Developers@python.org
http://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives:
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
Security Policy: http://wiki.list.org/x/QIA9
