On 9/16/24 18:18, Sam Darwin via Mailman-users wrote:
inherently not secure
The passwords were good enough for mailman2. If a mailman2 instance has been in
production for 20 years and users aren't complaining about security, maybe it's
not a show stopper
There are regular complaints dating back at least to
<https://bugs.launchpad.net/mailman/+bug/265179> about passwords mailed
in the clear.
The point is to make the upgrade seamless. That means... being able to say that everyone
gets to keep their user account and password. To be able to easily tell the users
"Your account is still the same. Just log in. Change your password when you
like."
But is it "the same"? What about an import of two lists with members
which are the same person, but with possibly separate email addresses
and/or passwords? Do we really want to create multiple Django users, or
let the user create one Django user with multiple addresses?
In the current context, passwords are associated with django accounts rather
than mailman-core accounts. So this is about creating django users.
creating a django user is "expensive". "poor performance"
I didn't follow what that means. What is expensive? What is poor performance?
I pointed to
<https://mail.python.org/archives/list/mailman-develop...@python.org/thread/454FVD23LFZSF5AX76DF2FOXRJARXQYH/%3E>
which discusses the performance issue as a reason for dropping the
import of MM 2.1 passwords.
Creating new django accounts en masse would be a one-time operation. It doesn't
matter if it's slow, or expensive, since it only happens once.
While probably not typical, mail.python.org currently has (still) 209 MM
2.1 lists with 40261 unique member addresses. Creating 40261 Django
users, even just one time would probably be painful.
And it would be optional. With the --django-accounts flag. Or another separate script.
Then you can tell users "Your account is the same as before. A transparent upgrade.
Just log in".
I really don't understand why telling the user that she has an account
and she can just log in with one of the N MM 2.1 passwords she had on
the N MM 2.1 lists or get a reset email if she doesn't know or remember
the password(s) is any easier for the user than telling her to go to ...
and sign up.
--
Mark Sapiro <m...@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
_______________________________________________
Mailman-users mailing list -- mailman-users@mailman3.org
To unsubscribe send an email to mailman-users-le...@mailman3.org
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Archived at:
https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/AP6XWJOKYOM7NV52J5HIVAT6JPGE5HT6/
This message sent to arch...@mail-archive.com
