Re: [Mailman-Developers] Improving the archives
I'll admit to not having read previous discussions on this topic, but I'll also add my 2 insert-lowest-denomination-coin here: On 7/2/07 11:06 PM, Terri Oda wrote: - better address obfuscation (maybe by generating pages through cgi) I run a few Wordpress sites, and there's a plugin I use called PHPEnkoder which does a good job of this. It basically wraps the address around a little bit of Javascript; if you have Javascript turned on in the browser, it's seamless, and if not you see Javascript required to view address or something like that. The theory is that bots and such don't run JS, so it's safe from harvesting. I'll leave it to the list as to how true an assessment this is, but it Works For Me : * Add a search option I know there's been patches around forever that integrate ht://Dig with Pipermail; maybe some way to do this, while still making it an option that can be tuned? If ht://Dig is there and you turn on the option, it works, but if it's not then it's not required? This would satisfy the not adding a billion dependencies, but may be overkill as well. I'll also happily admit to not knowing much about the cost of search engines to a system. * MUAs usually make URLs clickable. An new Archive could be used when posts are distributed, in the footer, so that each message has a link to the whole thread in the Archive. This would be a Godsend. A group at work here runs an old homebrewed exploder, and a few years ago I tried to convert them to Mailman. They liked everything they saw, up until the point where they couldn't refer to some kind of short and simple message number, and get right to that message in the archive. The current system generates a number based on a simple incrementing index of the list, and many months after a mailing people will refer to message #483, and know they can view it at http://hostname/foo/listname/483.html - which is also posted in the footer of the message sent out. Of course, if the archives were based on Message-ID headers, this may make such a number a bit unwieldly, but if it were some kind of simple-ish system I might finally get rid of those old lists : -- Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences Princeton University |ICBM Address: 40.346525 -74.651285 126 Peyton Hall |On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery. -Rush, 'Cygnus X-1' ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] Crypto-sign to post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/11/06 11:03 PM, Barry Warsaw wrote: I suppose you could also have each mailing list publish a pubkey and require that messages be encrypted with that pubkey in order to get posted. Of course that increases the cycles involved on both ends, but it allows you to accept messages without requiring the registration of each sender's key. Sure, spammers could use the same key to sign spam, but I wonder if that wouldn't be more work than is worthwhile for a botnet. Now there's something which I'm sure it's a small subset of people would be interested in, but it would definitely be nice.. the ability to run an entirely encrypted mailing list. You encrypt your message to the list key, and Mailman decrypts it, inserts some bit in the message about the original signing key, and encrypts it to each recipient. Subscribers would have to either submit a key to Mailman, or at least a key ID which could be retrieved from a keyserver. With verp I would think that encrypting to individuals would be slightly simpler - but again, a lot of CPU cycles to make it work. And I'm not sure how many lists would take advantage of it. Would also make archiving an interesting proposition... Sorry; thinking aloud again : - -- Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences Princeton University |ICBM Address: 40.346525 -74.651285 126 Peyton Hall |On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery. -Rush, 'Cygnus X-1' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFV2oSCCKCCLIg8RMRAgCcAKDt8BY24u6lda2PtC0+jdxRNiqfcwCbB4dX +bj5fzpqp1sx5UbUnzrSUvg= =im3W -END PGP SIGNATURE- ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] Crypto-sign to post
On 11/9/06 5:54 AM, Stefan Schlott wrote: As you mentioned, signing of a message is easy; so it is easy to sign a spam message, too. The problem is: Which key is used to sign the message, and how do you determine whether a key belongs to a spammer or to an ordinary user? The signature alone does not solve your problem. This would be for a project other than Mailman, however there already exists various blacklists and such which MTAs can use to determine if a host is likely to be a spammer. Likewise, I'm sure it wouldn't take very much to setup a daemon that contains a list of known spammy keys, and populate ones GPG keyring with those keys and flagged as untrusted. Then it would be a matter of allowing any signed mail from a non-untrusted key (so either trusted, or unknown). -- Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences Princeton University |ICBM Address: 40.346525 -74.651285 126 Peyton Hall |On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery. -Rush, 'Cygnus X-1' ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp
Re: [Mailman-Developers] Crypto-sign to post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/4/06 1:32 PM, Barry Warsaw wrote: Given that this could be a posting option that list admins could choose or not, I'm all for it. I'd like to add my $.02 as well. I think this would be a great feature, and since admins could choose to use it or not I think it might be helpful to have it on by default. But since many list readers (and possibly owners) might not understand exactly how it works, here's my thought. Have it turned on by default, but when Mailman sends out the message it adds a header to the mail; as Nathan later suggested, having it automatically set the Reply-To to include the sender so they get copies of replies would be good - better would be for Mailman to do it automagically, but that would require a bit more work to keep track of who submitted what mail, etc (things which MM isn't currently stateful enough to track, though I don't know what other 2.2 plans are in the works). The other would be a header in the body of the message, perhaps something like: [This sender is not subscribed to the list, but their email is being sent through because it is cryptographically signed - replies to the email should be CC'd to the original sender] Having it on by default might be seen as a back door to some, but off by default means people would have to see the benefits of turning it on before they'd do so. Since signed mails are likely to only be done by people who know what they're doing, and I'll guess are also less likely to be the type to post nonsense to mailing lists only to add to clutter, I'd think it would be safe to leave on. And by having the header there, it would probably alleviate those readers/admins that would wonder, How the hell did they post on here when they're not subscribed... - -- Steve Huston - W2SRH - Unix Sysadmin, Dept. of Astrophysical Sciences Princeton University |ICBM Address: 40.346525 -74.651285 126 Peyton Hall |On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery. -Rush, 'Cygnus X-1' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFTie8CCKCCLIg8RMRAoUgAJ9Lhu7V3rH8j5ayIhoMoPEd24H8AwCeJnyN 0aRAWpvuhzu1wP8jezEBLXk= =lc5i -END PGP SIGNATURE- ___ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.027.htp