On Wed, Apr 24, 2013 at 2:02 PM, Drew Crampsie <drew.crampsie@gmail.com> wrote:
> 1- Is there a web based interface to browse the archive of a list?

Not yet. It is trivial to do and will be done, but this is the first time it has been requested ,and there are only 15 or so messages that need archived (lists are not very busy it seems), so it will be done shorty. It is trivial to do so : http://mlmmj.org/archive/mlmmj/2010-08/0000002.html and http://mlmmj.org/docs/readme-archives/ .

> 2- Is the mailman era archive of each list now simply
    unreachable from the web? 

It shouldn't be. Give me a http:// URL that should work?

> 3- Is there a web based interface for new users to subscribe
    to a list? 

not really, though it may be done soon. But, <a href="mailto:projectfoo-devel+subscribe@common-lisp.net"> ... </a> is easy enough for now.

>  From what I understand now there is no password associated
     with a subscription to a list, nor is there any password
     associated with the owner/admin role of a list.  

Can you tell me what you have read that makes it seem like very very insecure? Also, what are you talking about "password associated
     with ..."?

> Am I wrong
in believing that now someone simply has to send emails 
with a forged From: field to hijack control of the list/subscription?

Well, what made you believe that? Is there a simple way that folks can easily hijack a list over email? 

As far as I know, it was audited by a company that worries about such things, http://mlmmj.org/docs/readme-security/ , and does not have a problem... can you please show me how/where/when you are able to hijack a list? mlmmj-test@common-lisp.net is a great place to start, and please feel free to hijack it.

Let me know if I have answered all the questions, and let me know the security holes you have discovered.

 -- drewc


Indeed you have answered all the questions I asked and this does clarify the current situation.

Thank you,

Jean-Claude Beaudoin



 





 

 


On Wed, Apr 24, 2013 at 2:00 AM, Jean-Claude Beaudoin <jean.claude.beaudoin@gmail.com> wrote:

I have been trying to figure out the new project mailing lists setup
on common-lisp.net for the last few hours. I think I more or less
understand now how the lists setup is to be used but I still
have a few questions left:

1- Is there a web based interface to browse the archive of a list?

2- Is the mailman era archive of each list now simply
    unreachable from the web?

3- Is there a web based interface for new users to subscribe
    to a list?  Or, do we have to explain them on the project page
    that they need to send email to say
    "projectfoo-devel+subscribe@common-lisp.net" in order
    to subscribe to the projectfoo-devel list?

4- From what I understand now there is no password associated
     with a subscription to a list, nor is there any password
     associated with the owner/admin role of a list.  Am I wrong
     in believing that now someone simply has to send emails
     with a forged From: field to hijack control of the list/subscription?

Thanks,

Jean-Claude Beaudoin