[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian is secure, the debian lists are not


On Fri, 7 Aug 1998, Hanno Wagner wrote:

> The reason why we, the listmasters, are not going to enable the cookie
> mechanism for unsubscribing is that at the moment there are already
> too many people who a) don't manage to get unsubscribed and b) don't
> manage to get subscribed *without* manual help of either
> Joey or myself.

There is a very interesting word here: "at the moment". I would like to
know which efforts, if any, are currently being made to avoid this to
happen, specially a). For example, what about an "unsubscription FAQ" 
posted weekly? One of the most common problems with unsubscriptions is
that people have a different address in the From: header than in the
Sender: header. Is people aware of this? Would not be a really good thing
for you to educate users a little bit, or just you don't want to do that?

On the other side: Is this problem really general to all lists? Is
debian-devel as populated by dummies as debian-user is? Which would be the
problem in enabling unsubscription cookies in some selected "important"
lists for the project, like debian-devel, debian-policy, etc?

> If we would make unsubscription more difficult than it is now the
> listmasters would even have more - and unneeded - work with it.  We're
> not going to accept that.  In that case we're considering stepping back
> from such listmaster duties.

Well, unsubscription cookies are as "unneeded" as PGP uploads. It is just
a matter of time. How many additional persons would be required to do the
listmaster work if cookies are enabled for unsubscriptions also? Maybe
there are people here who would volunteer. Saying both "it is more work"
and "we will not accept any help" does not look very fair, IMHO.

> I (Joey) fully support what Hanno (=Rince) wrote and I can understand why
> he's really upset with Santiago.  I'm also upset but have calmed down
> a bit.  After ending in consensus it doesn't look fair to the work the
> listmasters do.
> We can only repeat that in our opinion security has nothing to do with
> cookie unsubscription.

Well, in my opinion security has *all* to do with this. Just remove a few
random people from several lists, and suddenly people will ask you why
debian list are so insecure.

> In most cases there isn't even a mail loss
> since most of the lists are archived on the web, some are archived on
> master, some more are archived on ftp.infodrom.north.de and some may
> be archived in users mailboxes so there are easy ways to get the mails
> if you should be unsubscribed by failure.

I can only repeat, then, that surely the work needed to go to the
archives and guess exactly how many mails did you miss is *more* than
the work in replying to a simple ready-to-reply cookie message.

> Yes, using cookie unsubscription you can ensure that nobody than you
> can unsubscribe you from the lists.  But you also ensure that many
> people can't unsubscribe at all - and increase the load for the
> listmasters.
> Maintaining 2 lists and leaving the listmasters with n - 3 doesn't
> make sense.

Well, should I offer to maintain n / 3 lists, then?

> All lists should be maintained by a unique team.

Could you please elaborate on that? Is there a technical reason why
the lists may not be maintained by several persons?

BTW: Are you going to apply the work-around I emailed to the bug address
three days ago to make this to be less grave, or it will be ignored
completely, as the rest of the mail was?

Version: 2.6.3ia
Charset: latin1


To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: