Re: Issue #18: Access to spi-private mailing list archives unclear

Thu, 15 Apr 2021 13:32:33 -0700 

Hi Michael,

Le 2021-04-10 à 20:12, Michael Schultheiss a écrit :

Philippe Cloutier wrote:

SPI's website allows (visibly) to consult the archives of the spi-private
mailing list, via http://lists.spi-inc.org/private/spi-private/

Unfortunately, this requires authentication using an unspecified password. I
for one am currently unable to access the archives as a result (I do not
remember ever managing to access).

All mailman lists have user level passwords. If you don't recall your
spi-private password, you can enter your email in the final box on
http://lists.spi-inc.org/listinfo/spi-private and click [Unscubscibe or
edit options] and get a password reminder from the next page.
Thank you, I managed to access the archives thanks to the "password reminder". I also understood what happened. I had never set a password for spi-private. The password was determined by Mailman, and indicated to me in the mail which I received on subscription.
That subscription mail (and therefore my password) has been in my mailbox for 4 years. In my opinion, this might constitutes a security issue; anyone who would gain access to the mailbox of an spi-private subscriber who did not delete their subscription message would gain access to the full history of spi-private.
That being said, to go back to the original problem, the paragraph "(/The subscribers list is only available to the list administrator./)" which starts the Spi-private Subscribers section in http://lists.spi-inc.org/listinfo/spi-private seems to suggest the whole section is irrelevant for most subscribers. 

I recommend the following:

1. Indicate in http://lists.spi-inc.org/private/spi-private/ that all
   subscribers have a password, and that it can be sent as a reminder.
2. Clarify the Spi-private Subscribers section by:
    1. Moving the paragraph about unsubscribing first.
    2. Merging the first 2 paragraphs (the parenthesis can be merged
       into the "Enter your admin address and password to visit the
       subscribers list" paragraph.)
    3. Fixing the "Unsubscribe or edit options" button's label so it
       covers all its functions.

--
This mail's original content (non-quoted parts) is available under the Creative 
Commons Attribution-ShareAlike License 4.0.

Philippe Cloutier
http://www.philippecloutier.com


_______________________________________________
Spi-general mailing list
Spi-general@lists.spi-inc.org
http://lists.spi-inc.org/listinfo/spi-general

Reply via email to