Hi,

On Nov 13, 2015 11:06, "Risker" <risker.wp@gmail.com> wrote:
> However, as a list subscriber, I have yet to receive an email telling me that there is a forced password change for any WMF-based list to which I subscribe.  Some questions are in order about this element, which is not mentioned in the blog, and will affect tens of thousands of users.

for your typical list with no sensitive content I imagine many people would just leave the automatically set (random) passwd. many won't even keep a record of it and will just reset it when they need to use it.

note, however, that James' point about monthly reminders doesn't hold because our lists typically have that disabled. (I get reminders for 2 lists each month. I subscribe to many more than that.)

it's trivial to reset subscriber passwd (and is self-service) and also to set a new password passwd once you have logged in; when you set a new one after logged in to the web interface there's a checkbox for making the change on all your lists or only that one.

> Do subscribers have to change their password for each WMF-based mailman mailing list separately, or can they use the "one password for all lists" function that currently exists to change all of the passwords at once?  (Keep in mind that most of the mailing lists are at least semi-public, so this is not really a big deal.)

I'm not sure exactly what you mean. See above. Passwords have been changed but the software behaves the same as before AFAIK.

> If not, what happens to those subscriptions? are they discontinued if the user does not update his or her password, or do they just continue?

users don't need to do anything if they don't want to change anything.

> I think that there are a lot of valid points being made about the inherent problem of having listadmin passwords that are not user-specific.

That's not a Wikimedia specific problem. Nothing about that authentication system is locally customized (except maybe a couple lists with an extra layer of auth on top of mailman)

There's an upstream and a large user base. I would say patches welcome but maybe they prefer people upgrade to mailman 3. (and maybe that fixes the auth model)

> At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts.

+1

-Jeremy