Jeffrey Walton writes:
> The best I can tell, the Mailman threat model is naive or unrealistic.
It's neither. It merely corresponds to a very low level of security,
and you are told that when you subscribe.
> There are at least three threats which should be modeled.
"Should". Why? And why
On 11/2/2011 6:15 AM, Jeffrey Walton wrote:
> On Wed, Nov 2, 2011 at 7:40 AM, Larry Stone
> wrote:
>> Jeffrey Walton writes:
>>
[Snip]
>> . I was very naive.
>> Mailman works with Mail. SMTP mail is very insecure with headers, etc.
>> easily spoofed (by design - just as I can easily spoof the se
On Wed, Nov 2, 2011 at 7:40 AM, Larry Stone wrote:
> Jeffrey Walton writes:
>
>> The best I can tell, Mailman 2 did the wrong thing.
>
> The best I can tell, your expectations for Mailman's security and the
> software authors' expectations are completely different.
Agreed. I was very naive.
> Ma
On Wed, Nov 2, 2011 at 6:00 AM, Stephen J. Turnbull wrote:
> Jeffrey Walton writes:
>
> > The best I can tell, Mailman 2 did the wrong thing.
>
> Against what threats with what level of security do you have in mind?
I found it interesting you brought a threat model into the discussion.
The best I
On Tue, Nov 1, 2011 at 9:25 PM, Stephen J. Turnbull wrote:
> Jeffrey Walton writes:
>
> > I wish these list managers would get a f**king clue and do things
> > securely.
>
> By which you mean what? What we've learned over the last 30 years is
> that when application developers try to do securit
Jeffrey Walton writes:
> The best I can tell, Mailman 2 did the wrong thing.
The best I can tell, your expectations for Mailman's security and the software
authors' expectations are completely different. As has already been explained,
it is a low level of security designed to prevent (maybe I s
Jeffrey Walton writes:
> The best I can tell, Mailman 2 did the wrong thing.
Against what threats with what level of security do you have in mind?
> Confer: list managers did not fix Mailman 2 (nor did they use other
> software which was secure). Why would you expect them to research
> and s
