Hello all, and thanks for your quick and thoughtful replies. I only realized today that I didn't send a copy of the message I was referring to - it is a monthly mailing and is below.
Yes, I had not noticed that the auto-email could be disabled - which I did, and agree that it should be set administratively if at all possible. I'm encouraged that you're working on complete a solution to this, too, and thanks for the references to the blog posts. Perry Engle -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Thursday, November 01, 2012 1:06 AM To: Engle, Perry Subject: lists.fedorahosted.org mailing list memberships reminder This is a reminder, sent out once a month, about your lists.fedorahosted.org mailing list memberships. It includes your subscription info and how to use it to change it or unsubscribe from a list. You can visit the URLs to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. In addition to the URL interfaces, you can also use email to make such changes. For more info, send a message to the '-request' address of the list (for example, [email protected]) containing just the word 'help' in the message body, and an email message will be sent to you with instructions. If you have questions, problems, comments, etc, send them to [email protected]. Thanks! Passwords for [email protected]: List Password // URL ---- -------- [email protected] [password was here] https://lists.fedorahosted.org/mailman/options/trusted-computing/pengle%40mitre.org [email protected] [and here] https://lists.fedorahosted.org/mailman/options/lumberjack-developers/pengle%40mitre.org -----Original Message----- From: Stephen John Smoogen [mailto:[email protected]] Sent: Tuesday, November 06, 2012 11:29 AM To: Kévin Raymond Cc: Engle, Perry; [email protected] Subject: Re: Clear text passwords On 6 November 2012 08:34, Kévin Raymond <[email protected]> wrote: > Le lundi 05 nov. 2012 à 22:04:07 (+0000), Engle, Perry a écrit : >> Hello - It's been happening for a while, but it's really (really) time to >> end storing clear text passwords in the database. It's *LONG* past time to >> send them in email to your users. >> >> If you'd like proof, go to >> >> http://plaintextoffenders.com/submit >> And >> http://krebsonsecurity.com/2012/06/naming-and-shaming-the-plaintext-offenders/ >> >> Of all places, Fedora and Red Hat should be leading this charge. > > Hi, > > I suppose you refer to the Mailman monthly reminder? > I agree, we can ask all the mailing lists admin to disable this "feature". Originally the passwords were set up in the default way but this spring I changed many of the users passwords to the randomly chosen method (16 character random string). I removed all ways for the user to change the password so the only way for them to know what the password is via a reminder. I looked at that time on either hashing the passwords in mailman or some other method, and it was non-trivial. I am waiting for the hyperkitty implementation for a real fix. -- Stephen J Smoogen. "Don't derail a useful feature for the 99% because you're not in it." Linus Torvalds "Years ago my mother used to say to me,... Elwood, you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant. You may quote me." -James Stewart as Elwood P. Dowd -- websites mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/websites
