<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">This list is not the place for this
discussion. If you feel that this is an issue, then please open an
issue up in the webmasters issue tracker:<br>
<br>
<a class="moz-txt-link-freetext" href="http://drupal.org/node/add/project-issue/webmasters">http://drupal.org/node/add/project-issue/webmasters</a><br>
<br>
<pre class="moz-signature" cols="72">Jamie Holly
<a class="moz-txt-link-freetext" href="http://www.intoxination.net">http://www.intoxination.net</a>
<a class="moz-txt-link-freetext" href="http://www.hollyit.net">http://www.hollyit.net</a></pre>
On 12/2/2012 12:24 PM, Pat Ferrel wrote:<br>
</div>
<blockquote
cite="mid:B6B088C7-9F8A-4C73-B62A-ED0DA3341E8A@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Wow, this is complete foolishness.
<div><br>
</div>
<div>How does my failure to read a notice have anything to do with
an obviously bad practice? Red herring!</div>
<div><br>
</div>
<div>Also what does the fact that this is a community effort have
anything to do with an obviously bad practice? Another red
herring. Community can also work to point out failures like this
and work to fix them.</div>
<div><br>
</div>
<div>The password protects low security information but I am not
even sure where else I use that password. And this itself is
another red herring.</div>
<div><br>
</div>
<div>Passwords in clear text are universally and absolutely BAD.
You can justify the fact that no one has time to fix it. That I
understand but the rest of these arguments are purely specious.</div>
<div><br>
</div>
<div><br>
<div>
<div>On Dec 1, 2012, at 2:19 PM, Anthony <<a
moz-do-not-send="true" href="mailto:tony@tony-mac.com">tony@tony-mac.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
Very well written Richard. <br>
<br>
<div class="gmail_quote">On Sat, Dec 1, 2012 at 1:59 PM,
Richard Damon <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:Richard@damon-family.org" target="_blank">Richard@damon-family.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 12/1/12 11:57 AM, Pat Ferrel wrote:<br>
</div>
<blockquote type="cite"> I just got a reminder from
the <a moz-do-not-send="true"
href="mailto:mailman-owner@drupal.org"
target="_blank">mailman-owner@drupal.org</a> about
my account settings for this mail group.
<div><br>
</div>
<div>The email contained my password in clear
text!!! This is completely unacceptable.</div>
<div>
<ol>
<li>you should never save my password in clear
text</li>
<li>you should never never send it anywhere! </li>
</ol>
<div><br>
</div>
</div>
<div>This is something I'd expect from bad
practices of the last century.</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
As has been mentioned, the fact that this will happen is
clearly stated on the subscription form. This password
policy has been discussed on the Mailman development
lists, and the basic argument is that the list password
is protecting low security information, as all that
someone getting this password can do is to mess up your
subscription settings or unsubscribe you from the list.
Mailman is also set up to be totally usable by a user
via email and not require any web access, the process
needs to allow for the transmission of passwords in
plain text as their is no other option with email.<br>
<br>
If YOU made the mistake of using a "valuable" password
for the list, and do not trust the security of your
email system, it is your own fault, and you should
change you password and do your best to clear that email
from your client. You can also change your setting to
suppress the monthly password reminder, but anyone can
get the system to email it to you if they want.<br>
<br>
As to the other comment about "sensible managers"
turning off this option, I would have to disagree, most
of the Mailman lists that I belong to do send the
monthly reminder, and I would never turn it off for the
lists I run because I get enough people who subscribe to
lists like this with a free email account so that when
the email address gets too well known and starts to get
too much spam, the account can be closed down and a new
on made (and the list subscription changed), and then
the free email account is set to forward to their main
account. I the person doesn't POST that often, they may
forget what email address the list is actually sending
email too, and if you forget what it is, you need to
know how to read email headers well to figure it out,
assuming the relaying host adds the "for" information in
the received headers.<span class="HOEnZb"><font
color="#888888"><br>
<pre cols="72">--
Richard Damon</pre>
</font></span></div>
<br>
--<br>
[ Drupal support list | <a moz-do-not-send="true"
href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a>
]<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<p><b style="font-family:'Lucida
Handwriting',cursive;font-size:13px;background-color:rgb(255,255,255)"><i>Anthony
Stefan Maciejowski</i></b></p>
<div><br class="webkit-block-placeholder">
</div>
<br>
<div><br class="webkit-block-placeholder">
</div>
<br>
-- <br>
[ Drupal support list | <a moz-do-not-send="true"
href="http://lists.drupal.org/">http://lists.drupal.org/</a>
]</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>