From jean.claude.beaudoin@gmail.com Wed Jul 12 20:40:31 2023
From: Jean-Claude Beaudoin <jean.claude.beaudoin@gmail.com>
To: clo-devel@common-lisp.net
Subject: Re: Questions about new mailing lists setup on common-lisp.net
Date: Wed, 08 Apr 2015 20:58:11 +0000
Message-ID:
 <CAN3WOFfgzTJHb+zf-iSzfmRS0OA8+7aGtwZGfGuhfi5pVBkH0Q@mail.gmail.com>
In-Reply-To:
 <CAPySywYvk556BwznSt2jO4eKZ5gEk9Mey1KBKBTr5g0Y4mLmbg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8662532128142665860=="

--===============8662532128142665860==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 24, 2013 at 2:02 PM, Drew Crampsie <drew.crampsie(a)gmail.com>wro=
te:

> > 1- Is there a web based interface to browse the archive of a list?
>
> Not yet. It is trivial to do and will be done, but this is the first time
> it has been requested ,and there are only 15 or so messages that need
> archived (lists are not very busy it seems), so it will be done shorty. It
> is trivial to do so : http://mlmmj.org/archive/mlmmj/2010-08/0000002.htmland
> http://mlmmj.org/docs/readme-archives/ .
>
> > 2- Is the mailman era archive of each list now simply
>     unreachable from the web?
>
> It shouldn't be. Give me a http:// URL that should work?
>
> > 3- Is there a web based interface for new users to subscribe
>     to a list?
>
> not really, though it may be done soon. But, <a href=3D"mailto:
> projectfoo-devel+subscribe(a)common-lisp.net"> ... </a> is easy enough for
> now.
>
> >  From what I understand now there is no password associated
>      with a subscription to a list, nor is there any password
>      associated with the owner/admin role of a list.
>
> Can you tell me what you have read that makes it seem like very very
> insecure? Also, what are you talking about "password associated
>      with ..."?
>
> > Am I wrong
> in believing that now someone simply has to send emails
> with a forged From: field to hijack control of the list/subscription?
>
> Well, what made you believe that? Is there a simple way that folks can
> easily hijack a list over email?
>
> As far as I know, it was audited by a company that worries about such
> things, http://mlmmj.org/docs/readme-security/ , and does not have a
> problem... can you please show me how/where/when you are able to hijack a
> list? mlmmj-test(a)common-lisp.net is a great place to start, and please
> feel free to hijack it.
>
> Let me know if I have answered all the questions, and let me know the
> security holes you have discovered.
>
>  -- drewc
>
>
Indeed you have answered all the questions I asked and this does clarify
the current situation.

Thank you,

Jean-Claude Beaudoin





>
>
>
>
>
>
>

>
>
>
> On Wed, Apr 24, 2013 at 2:00 AM, Jean-Claude Beaudoin <
> jean.claude.beaudoin(a)gmail.com> wrote:
>
>>
>> I have been trying to figure out the new project mailing lists setup
>> on common-lisp.net for the last few hours. I think I more or less
>> understand now how the lists setup is to be used but I still
>> have a few questions left:
>>
>> 1- Is there a web based interface to browse the archive of a list?
>>
>> 2- Is the mailman era archive of each list now simply
>>     unreachable from the web?
>>
>> 3- Is there a web based interface for new users to subscribe
>>     to a list?  Or, do we have to explain them on the project page
>>     that they need to send email to say
>>     "projectfoo-devel+subscribe(a)common-lisp.net" in order
>>     to subscribe to the projectfoo-devel list?
>>
>> 4- From what I understand now there is no password associated
>>      with a subscription to a list, nor is there any password
>>      associated with the owner/admin role of a list.  Am I wrong
>>      in believing that now someone simply has to send emails
>>      with a forged From: field to hijack control of the list/subscription?
>>
>> Thanks,
>>
>> Jean-Claude Beaudoin
>>
>>
>



--===============8662532128142665860==
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"
MIME-Version: 1.0

PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZXh0cmEiPjxicj48ZGl2IGNsYXNzPSJn
bWFpbF9xdW90ZSI+T24gV2VkLCBBcHIgMjQsIDIwMTMgYXQgMjowMiBQTSwgRHJldyBDcmFtcHNp
ZSA8c3BhbiBkaXI9Imx0ciI+Jmx0OzxhIGhyZWY9Im1haWx0bzpkcmV3LmNyYW1wc2llQGdtYWls
LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmRyZXcuY3JhbXBzaWVAZ21haWwuY29tPC9hPiZndDs8L3Nw
YW4+IHdyb3RlOjxicj4KPGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFy
Z2luOjAgMCAwIC44ZXg7Ym9yZGVyLWxlZnQ6MXB4ICNjY2Mgc29saWQ7cGFkZGluZy1sZWZ0OjFl
eCI+PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iaW0iPjxkaXY+Jmd0OyAxLSBJcyB0aGVyZSBh
IHdlYiBiYXNlZCBpbnRlcmZhY2UgdG8gYnJvd3NlIHRoZSBhcmNoaXZlIG9mIGEgbGlzdD88L2Rp
dj48ZGl2Pjxicj4KPC9kaXY+PC9kaXY+PGRpdj5Ob3QgeWV0LiBJdCBpcyB0cml2aWFsIHRvIGRv
IGFuZCB3aWxsIGJlIGRvbmUsIGJ1dCB0aGlzIGlzIHRoZSBmaXJzdCB0aW1lIGl0IGhhcyBiZWVu
IHJlcXVlc3RlZCAsYW5kIHRoZXJlIGFyZSBvbmx5IDE1IG9yIHNvIG1lc3NhZ2VzIHRoYXQgbmVl
ZCBhcmNoaXZlZCAobGlzdHMgYXJlIG5vdCB2ZXJ5IGJ1c3kgaXQgc2VlbXMpLCBzbyBpdCB3aWxs
IGJlIGRvbmUgc2hvcnR5LiBJdCBpcyB0cml2aWFsIHRvIGRvIHNvIDqgPGEgaHJlZj0iaHR0cDov
L21sbW1qLm9yZy9hcmNoaXZlL21sbW1qLzIwMTAtMDgvMDAwMDAwMi5odG1sIiB0YXJnZXQ9Il9i
bGFuayI+aHR0cDovL21sbW1qLm9yZy9hcmNoaXZlL21sbW1qLzIwMTAtMDgvMDAwMDAwMi5odG1s
PC9hPiBhbmSgPGEgaHJlZj0iaHR0cDovL21sbW1qLm9yZy9kb2NzL3JlYWRtZS1hcmNoaXZlcy8i
IHRhcmdldD0iX2JsYW5rIj5odHRwOi8vbWxtbWoub3JnL2RvY3MvcmVhZG1lLWFyY2hpdmVzLzwv
YT4gLjwvZGl2Pgo8ZGl2IGNsYXNzPSJpbSI+CjxkaXY+PGJyPjwvZGl2PjxkaXY+Jmd0OyAyLSBJ
cyB0aGUgbWFpbG1hbiBlcmEgYXJjaGl2ZSBvZiBlYWNoIGxpc3Qgbm93IHNpbXBseTwvZGl2Pjxk
aXY+oCCgIHVucmVhY2hhYmxlIGZyb20gdGhlIHdlYj+gPC9kaXY+PGRpdj48YnI+PC9kaXY+PC9k
aXY+PGRpdj5JdCBzaG91bGRuJiMzOTt0IGJlLiBHaXZlIG1lIGEgaHR0cDovLyBVUkwgdGhhdCBz
aG91bGQgd29yaz88L2Rpdj48ZGl2IGNsYXNzPSJpbSI+Cgo8ZGl2Pjxicj48L2Rpdj48ZGl2PiZn
dDsgMy0gSXMgdGhlcmUgYSB3ZWIgYmFzZWQgaW50ZXJmYWNlIGZvciBuZXcgdXNlcnMgdG8gc3Vi
c2NyaWJlPC9kaXY+PGRpdj6gIKAgdG8gYSBsaXN0P6A8L2Rpdj48ZGl2Pjxicj48L2Rpdj48L2Rp
dj48ZGl2Pm5vdCByZWFsbHksIHRob3VnaCBpdCBtYXkgYmUgZG9uZSBzb29uLiBCdXQsoCZsdDth
IGhyZWY9JnF1b3Q7bWFpbHRvOjxhIGhyZWY9Im1haWx0bzpwcm9qZWN0Zm9vLWRldmVsJTJCc3Vi
c2NyaWJlQGNvbW1vbi1saXNwLm5ldCIgdGFyZ2V0PSJfYmxhbmsiPnByb2plY3Rmb28tZGV2ZWwr
c3Vic2NyaWJlQGNvbW1vbi1saXNwLm5ldDwvYT4mcXVvdDsmZ3Q7IC4uLiAmbHQ7L2EmZ3Q7IGlz
IGVhc3kgZW5vdWdoIGZvciBub3cuPC9kaXY+Cgo8ZGl2Pjxicj48L2Rpdj48ZGl2PjxkaXYgY2xh
c3M9ImltIj48ZGl2PiZndDsgoEZyb20gd2hhdCBJIHVuZGVyc3RhbmQgbm93IHRoZXJlIGlzIG5v
IHBhc3N3b3JkIGFzc29jaWF0ZWQ8L2Rpdj48ZGl2PqAgoCCgd2l0aCBhIHN1YnNjcmlwdGlvbiB0
byBhIGxpc3QsIG5vciBpcyB0aGVyZSBhbnkgcGFzc3dvcmQ8L2Rpdj48ZGl2PqAgoCCgYXNzb2Np
YXRlZCB3aXRoIHRoZSBvd25lci9hZG1pbiByb2xlIG9mIGEgbGlzdC4goDwvZGl2PgoKPGRpdj48
YnI+PC9kaXY+PC9kaXY+PGRpdj5DYW4geW91IHRlbGwgbWUgd2hhdCB5b3UgaGF2ZSByZWFkIHRo
YXQgbWFrZXMgaXQgc2VlbSBsaWtlIHZlcnkgdmVyeSBpbnNlY3VyZT8gQWxzbywgd2hhdCBhcmUg
eW91IHRhbGtpbmcgYWJvdXQgJnF1b3Q7cGFzc3dvcmQgYXNzb2NpYXRlZDwvZGl2PjxkaXY+oCCg
IKB3aXRoIC4uLiZxdW90Oz88L2Rpdj48ZGl2IGNsYXNzPSJpbSI+PGRpdj4KPGJyPjwvZGl2Pgo8
ZGl2PiZndDsgQW0gSSB3cm9uZzwvZGl2PjxkaXY+aW4gYmVsaWV2aW5nIHRoYXQgbm93IHNvbWVv
bmUgc2ltcGx5IGhhcyB0byBzZW5kIGVtYWlsc6A8L2Rpdj48ZGl2PndpdGggYSBmb3JnZWQgRnJv
bTogZmllbGQgdG8gaGlqYWNrIGNvbnRyb2wgb2YgdGhlIGxpc3Qvc3Vic2NyaXB0aW9uPzwvZGl2
PjxkaXY+PGJyPjwvZGl2PjwvZGl2PjxkaXY+V2VsbCwgd2hhdCBtYWRlIHlvdSBiZWxpZXZlIHRo
YXQ/IElzIHRoZXJlIGEgc2ltcGxlIHdheSB0aGF0IGZvbGtzIGNhbiBlYXNpbHkgaGlqYWNrIGEg
bGlzdCBvdmVyIGVtYWlsP6A8L2Rpdj4KCjxkaXY+PGJyPjwvZGl2PjxkaXY+QXMgZmFyIGFzIEkg
a25vdywgaXQgd2FzIGF1ZGl0ZWQgYnkgYSBjb21wYW55IHRoYXQgd29ycmllcyBhYm91dCBzdWNo
IHRoaW5ncyygPGEgaHJlZj0iaHR0cDovL21sbW1qLm9yZy9kb2NzL3JlYWRtZS1zZWN1cml0eS8i
IHRhcmdldD0iX2JsYW5rIj5odHRwOi8vbWxtbWoub3JnL2RvY3MvcmVhZG1lLXNlY3VyaXR5Lzwv
YT4gLCBhbmQgZG9lcyBub3QgaGF2ZSBhIHByb2JsZW0uLi4gY2FuIHlvdSBwbGVhc2Ugc2hvdyBt
ZSBob3cvd2hlcmUvd2hlbiB5b3UgYXJlIGFibGUgdG8gaGlqYWNrIGEgbGlzdD8gPGEgaHJlZj0i
bWFpbHRvOm1sbW1qLXRlc3RAY29tbW9uLWxpc3AubmV0IiB0YXJnZXQ9Il9ibGFuayI+bWxtbWot
dGVzdEBjb21tb24tbGlzcC5uZXQ8L2E+IGlzIGEgZ3JlYXQgcGxhY2UgdG8gc3RhcnQsIGFuZCBw
bGVhc2UgZmVlbCBmcmVlIHRvIGhpamFjayBpdC48L2Rpdj4KCjxkaXY+PGJyPjwvZGl2PjxkaXY+
TGV0IG1lIGtub3cgaWYgSSBoYXZlIGFuc3dlcmVkIGFsbCB0aGUgcXVlc3Rpb25zLCBhbmQgbGV0
IG1lIGtub3cgdGhlIHNlY3VyaXR5IGhvbGVzIHlvdSBoYXZlIGRpc2NvdmVyZWQuPC9kaXY+PGRp
dj48YnI+PC9kaXY+PGRpdj6gLS0gZHJld2M8L2Rpdj48ZGl2Pjxicj48L2Rpdj48L2Rpdj48L2Rp
dj48L2Jsb2NrcXVvdGU+PGRpdj48YnI+PC9kaXY+CjxkaXY+SW5kZWVkIHlvdSBoYXZlIGFuc3dl
cmVkIGFsbCB0aGUgcXVlc3Rpb25zIEkgYXNrZWQgYW5kIHRoaXMgZG9lcyBjbGFyaWZ5IHRoZSBj
dXJyZW50IHNpdHVhdGlvbi48YnI+PGJyPjwvZGl2PjxkaXY+VGhhbmsgeW91LDxicj48YnI+PC9k
aXY+PGRpdj5KZWFuLUNsYXVkZSBCZWF1ZG9pbjxicj48L2Rpdj48ZGl2Pjxicj48YnI+PGJyPqA8
L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MHB0IDBw
dCAwcHQgMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigyMDQsMjA0LDIwNCk7cGFkZGlu
Zy1sZWZ0OjFleCI+CjxkaXYgZGlyPSJsdHIiPjxkaXY+PGRpdj48YnI+PGJyPjxicj48YnI+PGJy
PqA8L2Rpdj48L2Rpdj48L2Rpdj48L2Jsb2NrcXVvdGU+PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWls
X3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBwdCAwcHQgMHB0IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBz
b2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVmdDoxZXgiPjxkaXYgZGlyPSJsdHIiPjxk
aXY+PGRpdj4KPC9kaXY+CjxkaXY+PGJyPjwvZGl2PjwvZGl2PjxkaXY+oDwvZGl2PjwvZGl2Pjxk
aXYgY2xhc3M9IkhPRW5aYiI+PGRpdiBjbGFzcz0iaDUiPjxkaXYgY2xhc3M9ImdtYWlsX2V4dHJh
Ij48YnI+PGJyPjxkaXYgY2xhc3M9ImdtYWlsX3F1b3RlIj5PbiBXZWQsIEFwciAyNCwgMjAxMyBh
dCAyOjAwIEFNLCBKZWFuLUNsYXVkZSBCZWF1ZG9pbiA8c3BhbiBkaXI9Imx0ciI+Jmx0OzxhIGhy
ZWY9Im1haWx0bzpqZWFuLmNsYXVkZS5iZWF1ZG9pbkBnbWFpbC5jb20iIHRhcmdldD0iX2JsYW5r
Ij5qZWFuLmNsYXVkZS5iZWF1ZG9pbkBnbWFpbC5jb208L2E+Jmd0Ozwvc3Bhbj4gd3JvdGU6PGJy
PgoKPGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjAgMCAwIC44
ZXg7Ym9yZGVyLWxlZnQ6MXB4ICNjY2Mgc29saWQ7cGFkZGluZy1sZWZ0OjFleCI+PGRpdiBkaXI9
Imx0ciI+PGRpdj48ZGl2PjxkaXY+PGRpdj48ZGl2Pjxicj48L2Rpdj5JIGhhdmUgYmVlbiB0cnlp
bmcgdG8gZmlndXJlIG91dCB0aGUgbmV3IHByb2plY3QgbWFpbGluZyBsaXN0cyBzZXR1cDxicj4K
Cm9uIDxhIGhyZWY9Imh0dHA6Ly9jb21tb24tbGlzcC5uZXQiIHRhcmdldD0iX2JsYW5rIj5jb21t
b24tbGlzcC5uZXQ8L2E+IGZvciB0aGUgbGFzdCBmZXcgaG91cnMuIEkgdGhpbmsgSSBtb3JlIG9y
IGxlc3M8YnI+CjwvZGl2PnVuZGVyc3RhbmQgbm93IGhvdyB0aGUgbGlzdHMgc2V0dXAgaXMgdG8g
YmUgdXNlZCBidXQgSSBzdGlsbDxicj5oYXZlIGEgZmV3IHF1ZXN0aW9ucyBsZWZ0Ojxicj48YnI+
PC9kaXY+MS0gSXMgdGhlcmUgYSB3ZWIgYmFzZWQgaW50ZXJmYWNlIHRvIGJyb3dzZSB0aGUgYXJj
aGl2ZSBvZiBhIGxpc3Q/PGJyPjxicj48L2Rpdj4yLSBJcyB0aGUgbWFpbG1hbiBlcmEgYXJjaGl2
ZSBvZiBlYWNoIGxpc3Qgbm93IHNpbXBseTxicj4KCgqgoKAgdW5yZWFjaGFibGUgZnJvbSB0aGUg
d2ViPzxicj48YnI+PC9kaXY+PGRpdj4zLSBJcyB0aGVyZSBhIHdlYiBiYXNlZCBpbnRlcmZhY2Ug
Zm9yIG5ldyB1c2VycyB0byBzdWJzY3JpYmU8YnI+PC9kaXY+PGRpdj6goKAgdG8gYSBsaXN0P6Ag
T3IsIGRvIHdlIGhhdmUgdG8gZXhwbGFpbiB0aGVtIG9uIHRoZSBwcm9qZWN0IHBhZ2U8YnI+PC9k
aXY+PGRpdj6goKAgdGhhdCB0aGV5IG5lZWQgdG8gc2VuZCBlbWFpbCB0byBzYXk8YnI+CgoKoCCg
ICZxdW90OzxhIGhyZWY9Im1haWx0bzpwcm9qZWN0Zm9vLWRldmVsJTJCc3Vic2NyaWJlQGNvbW1v
bi1saXNwLm5ldCIgdGFyZ2V0PSJfYmxhbmsiPnByb2plY3Rmb28tZGV2ZWwrc3Vic2NyaWJlQGNv
bW1vbi1saXNwLm5ldDwvYT4mcXVvdDsgaW4gb3JkZXI8YnI+PC9kaXY+PGRpdj6goKAgdG8gc3Vi
c2NyaWJlIHRvIHRoZSBwcm9qZWN0Zm9vLWRldmVsIGxpc3Q/PGJyPjxicj48L2Rpdj4KCjxkaXY+
NC0gRnJvbSB3aGF0IEkgdW5kZXJzdGFuZCBub3cgdGhlcmUgaXMgbm8gcGFzc3dvcmQgYXNzb2Np
YXRlZDxicj4KPC9kaXY+PGRpdj6goKCgIHdpdGggYSBzdWJzY3JpcHRpb24gdG8gYSBsaXN0LCBu
b3IgaXMgdGhlcmUgYW55IHBhc3N3b3JkPGJyPjwvZGl2PjxkaXY+oKCgoCBhc3NvY2lhdGVkIHdp
dGggdGhlIG93bmVyL2FkbWluIHJvbGUgb2YgYSBsaXN0LqAgQW0gSSB3cm9uZzxicj48L2Rpdj48
ZGl2PqCgoKAgaW4gYmVsaWV2aW5nIHRoYXQgbm93IHNvbWVvbmUgc2ltcGx5IGhhcyB0byBzZW5k
IGVtYWlsczxicj4KCgo8L2Rpdj48ZGl2PqCgoKAgd2l0aCBhIGZvcmdlZCBGcm9tOiBmaWVsZCB0
byBoaWphY2sgY29udHJvbCBvZiB0aGUgbGlzdC9zdWJzY3JpcHRpb24/PGJyPjxicj48L2Rpdj48
ZGl2PlRoYW5rcyw8YnI+PGJyPjwvZGl2PjxkaXY+SmVhbi1DbGF1ZGUgQmVhdWRvaW48YnI+PGJy
PjwvZGl2PjwvZGl2Pgo8L2Jsb2NrcXVvdGU+PC9kaXY+PGJyPjwvZGl2Pgo8L2Rpdj48L2Rpdj48
L2Jsb2NrcXVvdGU+PC9kaXY+PGJyPjwvZGl2PjwvZGl2Pgo=

--===============8662532128142665860==--