Re: [Mailman-Users] Now that Python 2 is dead in 2020 what are people's plans with mailman2?

2019-04-10 Thread Alain D D Williams 
On Wed, Apr 10, 2019 at 11:36:24AM -0400, Matthew Goebel wrote:

> Now that all support for Python 2 is supposed to go away in 2020 are people
> going to move off of mailman 2?

Most of my mailman lists are run off a CentOS 6 box, have done for a long time,
quite stable.

CentOS 8 will (is expected to) be out later this year; when that happens I will
upgrade the whole machine - before CentOS 6 EOLs.

CentOS 8 will have the version of Python need to support MM3, so I will upgrade
and copy over my lists at that point. I am expecting that there will be a few
issues (there always are) but will give me some new abilities; based on quick
browsing of the MM3 docs I will be able to keep rosta information in an SQL
database rather than a Python pickle; this will let me do interesting things
like easy interface with other subsystems.

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
https://www.phcomp.co.uk/contact.php
#include 
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] [Mailman-cabal] GDPR

2018-05-11 Thread Alain D D Williams 
On Sat, May 12, 2018 at 01:06:15AM +0900, Stephen J. Turnbull wrote:
> I hate to disagree with everybody, but ...
> 
> We need to get an articulare European lawyer, or at least find someone
> who has studied the subject.  I don't know the credentials of anyone
> who has posted on this list, so I would be careful.  There was a post
> a few months back listing a bunch of stuff that person claimed we
> needed to support for our users (ie, list owners) to be able to
> conform to GDPR.  (Sorry, on a plane right now, search is painful.)
> I have no idea if that person was clueful, but I suspect he was a
> privacy activist and so would be biased toward stringent
> interpretation.  Still that post is where I'd start.
> 
> On the FUD end of the spectrum, there are claims that the IPs in your
> webserver log are subject to redaction on request.  There are
> counterclaims that that is FUD. ;-)

[ first: IANAL ]

It is FUD.

Yes, you could argue that an IP address is a form of 'personal information'
(PI), in that it might identify someone. But you are allowed to keep such
information for the purposes of debugging server problems, tracking down
attempted break ins, etc. So you can keep the logs for a reasonable time to
allow you to do that.

How long: the default log recycling times (eg a few weeks to a couple of months)
would be reasonable. Some have suggested 2 days - but it is easy to justify
that that is not long enough since many problems do not become known for some
time.

One confusion is that the GDPR does not prevent you keeping PI (eg as above),
but there are strictures on *processing* it, eg with the purpose of sending
spam.

*processing* it to trace a break in would be allowed - you are not seeking to
identify or act on the individual -- unless s/he was the reprobate who attacked
your machine.


A huge number of organisations are now seeking reaffirmation that you want to
receive email from them, this is because they do not have adequate documentation
that you want to receive email. My view is that the mailman log files show when
a user requested to join a mail list (eg the subscribe file); if they asked to
be subscribed and someone else did it, then the email/signup-form should be
kept.


https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/



> I don't know the credentials of
> either claimant.  It is my understanding that you may need to remove
> posts from archives on request.  AFAIK neither Mailman 2 nor Mailman 3
> supports that in the sense of making it possible to do it without
> editing the archives by hand (and in Mailman 2's case, rebuilding the
> archives), which requires login access to the host.

There is a right to be forgotten

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

> There are also claims that if you don't profit from the data stored in
> your host's records, you're safe.  Some people have posted "all posts
> yours are automatically permanently ours" rules of usage -- but I
> don't think EU law necessarily allows that, because GDPR rights may
> very well be inalienable "creator's rights".  I have no way to
> evaluate these claims, but at the very least you have to worry about
> frivolous claims (insert Michael Cohen/Rudy Guiliani joke here).
> 
> Footnotes: 
> [1]  If someone reading this thinks they know GDPR well enough to (1)
> present basic concepts and risks (while liberally sprinkling IANALs and
> TINLAs around) and

IANAL

> (2) point people at real lawyer blogs,

But beware: there is a mini-industry of people who try to worry organisations
and seek to advise you (at a fee - of course).

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
https://www.phcomp.co.uk/contact.php
#include 
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Possibly OT: GDPR and list servers

2018-05-09 Thread Alain D D Williams 
On Wed, May 09, 2018 at 02:39:09PM +0200, Julian H. Stacey wrote:

> Andrew Hodgson wrote:

> > Has anyone in the EU come across the GDPR guidelines in the context of 
> > Mailman?  We are a charity and run Mailman as part of that with some high 
> > traffic email lists.  I am getting a lot of conflicting information 
> > regarding whether we can even continue to do this in the current climate, 
> > most of it coming from half baked documents or different people's opinion, 
> > so I wanted to put it out there to see if there is anything that the 
> > community may have that we can use or help with in a co-ordinated way.

> GDPR seems the latest government imposed plague ** to consume
> business time unpaid, along with VAT etc.  Bigger companies can
> afford it, but for some small companies it's last nail in the coffin.

The attitude that I have taken with mail lists is that:

* all those on the list subscribed themselves - they thus, at that time,
gave their consent to mailman/list-owner to have their email address for the
purpose of sending email; also on the sign up page I mention list archiving,
etc.

* those on the list can unsubscribe themselves - a reminder of the list web page
is at the foot of every email.

Job done.

There is a lot of hype about the GDPR, much of it inflated by those who either
do not understand it or those who are selling DDPR 'services'. GDPR is not
designed to hit things like mailman lists, or web sites that do not collect and
process personal information. ''process'' is the important word - the fact that
someone's IP address ends up in your Apache logs is of little interest unless
you mechanically process them -- using them to track down some bug or attempt at
cracking the web site would not fall foul of GDPR.

Summary: play nice (ie don't be facebook) and you are probably OK.

> ** Remember the ISO 9000 certification plague ?  When industry
> threw out good equipment that wasn't ISO 9000; & even banks bored
> us they too were ISO 9000 method compliant. 

Yes. I just ignored it.

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: 
https://www.phcomp.co.uk/contact.php
#include 
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org