Hi,
On Nov 13, 2015 11:06, "Risker" <risker.wp(a)gmail.com> wrote:
However, as a list subscriber, I have yet to receive
an email telling me
that there is a forced password change for any WMF-based list to
which I
subscribe. Some questions are in order about this element, which is not
mentioned in the blog, and will affect tens of thousands of users.
for your typical list with no sensitive content I imagine many people would
just leave the automatically set (random) passwd. many won't even keep a
record of it and will just reset it when they need to use it.
note, however, that James' point about monthly reminders doesn't hold
because our lists typically have that disabled. (I get reminders for 2
lists each month. I subscribe to many more than that.)
it's trivial to reset subscriber passwd (and is self-service) and also to
set a new password passwd once you have logged in; when you set a new one
after logged in to the web interface there's a checkbox for making the
change on all your lists or only that one.
Do subscribers have to change their password for each
WMF-based mailman
mailing list separately, or can they use the "one password
for all lists"
function that currently exists to change all of the passwords at once?
(Keep in mind that most of the mailing lists are at least semi-public, so
this is not really a big deal.)
I'm not sure exactly what you mean. See above. Passwords have been changed
but the software behaves the same as before AFAIK.
If not, what happens to those subscriptions? are they
discontinued if the
user does not update his or her password, or do they just
continue?
users don't need to do anything if they don't want to change anything.
I think that there are a lot of valid points being
made about
the inherent problem of having listadmin passwords that are not
user-specific.
That's not a Wikimedia specific problem. Nothing about that authentication
system is locally customized (except maybe a couple lists with an extra
layer of auth on top of mailman)
There's an upstream and a large user base. I would say patches welcome but
maybe they prefer people upgrade to mailman 3. (and maybe that fixes the
auth model)
At the same time, we should keep in mind that the core
issue here is that
a few listadmins appear to have used the same password for
listadmin
duties as they were using for other accounts.
+1
-Jeremy