Questions about new mailing lists setup on common-lisp.net

Thu Apr 25 07:47:07 UTC 2013

On Wed, Apr 24, 2013 at 2:02 PM, Drew Crampsie <drew.crampsie at gmail.com>wrote:

> > 1- Is there a web based interface to browse the archive of a list?
>
> Not yet. It is trivial to do and will be done, but this is the first time
> it has been requested ,and there are only 15 or so messages that need
> archived (lists are not very busy it seems), so it will be done shorty. It
> is trivial to do so : http://mlmmj.org/archive/mlmmj/2010-08/0000002.htmland
> http://mlmmj.org/docs/readme-archives/ .
>
> > 2- Is the mailman era archive of each list now simply
>     unreachable from the web?
>
> It shouldn't be. Give me a http:// URL that should work?
>
> > 3- Is there a web based interface for new users to subscribe
>     to a list?
>
> not really, though it may be done soon. But, <a href="mailto:
> projectfoo-devel+subscribe at common-lisp.net"> ... </a> is easy enough for
> now.
>
> >  From what I understand now there is no password associated
>      with a subscription to a list, nor is there any password
>      associated with the owner/admin role of a list.
>
> Can you tell me what you have read that makes it seem like very very
> insecure? Also, what are you talking about "password associated
>      with ..."?
>
> > Am I wrong
> in believing that now someone simply has to send emails
> with a forged From: field to hijack control of the list/subscription?
>
> Well, what made you believe that? Is there a simple way that folks can
> easily hijack a list over email?
>
> As far as I know, it was audited by a company that worries about such
> things, http://mlmmj.org/docs/readme-security/ , and does not have a
> problem... can you please show me how/where/when you are able to hijack a
> list? mlmmj-test at common-lisp.net is a great place to start, and please
> feel free to hijack it.
>
> Let me know if I have answered all the questions, and let me know the
> security holes you have discovered.
>
>  -- drewc
>
>
Indeed you have answered all the questions I asked and this does clarify
the current situation.

Thank you,

Jean-Claude Beaudoin

>
>
>
>
>
>
>

>
>
>
> On Wed, Apr 24, 2013 at 2:00 AM, Jean-Claude Beaudoin <
> jean.claude.beaudoin at gmail.com> wrote:
>
>>
>> I have been trying to figure out the new project mailing lists setup
>> on common-lisp.net for the last few hours. I think I more or less
>> understand now how the lists setup is to be used but I still
>> have a few questions left:
>>
>> 1- Is there a web based interface to browse the archive of a list?
>>
>> 2- Is the mailman era archive of each list now simply
>>     unreachable from the web?
>>
>> 3- Is there a web based interface for new users to subscribe
>>     to a list?  Or, do we have to explain them on the project page
>>     that they need to send email to say
>>     "projectfoo-devel+subscribe at common-lisp.net" in order
>>     to subscribe to the projectfoo-devel list?
>>
>> 4- From what I understand now there is no password associated
>>      with a subscription to a list, nor is there any password
>>      associated with the owner/admin role of a list.  Am I wrong
>>      in believing that now someone simply has to send emails
>>      with a forged From: field to hijack control of the list/subscription?
>>
>> Thanks,
>>
>> Jean-Claude Beaudoin
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/clo-devel/attachments/20130425/3a8bfb5a/attachment.html>