Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Wed, 20 Feb 2008 12:32:57 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: subscription-request procedure?

* [2008-02-19 16:36:45 -0500] Josh Bressers wrote:

>> > Since folks like Jim are exactly the type of people we want on the list,
>> > we need to make the process fairly simple (and fast, if possible) to
>> > prevent turning people off.
>> 
>> In fact, I think even something as simple as compulsory introduction
>> will turn some people away - e.g., those Open Source authors who are new
>> to security and would like to listen to our conversations before they
>> might dare to introduce themselves.
>> 
>> Maybe we don't really require it?  Maybe we don't really need to make
>> this list subscription-moderated?  This implies that we'll have to
>> enable message moderation (with its associated delays) even for list
>> members at some point, though.
>> 
>> To avoid the delays, we might enhance (patch) ezmlm-idx to honor its
>> "allow" list even for fully-message-moderated lists.  This is probably
>> not too hard to do, although I have not looked into it.  Normally, the
>> "allow" list appears to only be honored for lists that are
>> message-moderated for non-members.
>> 
>
>Yes, these are very good points.  I think the best solution at the moment
>would be to let anyone who is subscribed to post, and let anyone subscribe.
>If we have problems, we can tighten things up a bit later.
>
>This is one of the tricking things when starting something up such as this.
>It's easy to solve problems that don't exist, which then end up turning
>people away.
>
>FWIW, mailman has the ability to enable individual user moderation.
>Something similar would certainly be a useful feature here.

Sounds good to me.  Maybe having the thing unfettered for a time and see
how it works would be best.  If problems do come up, we can always fall
back to the subscriber-moderation and/or message moderation (although,
to be honest, I'm more in favour of subscriber-moderation than message
moderation unless spam starts to become a real problem).

-- 
Vincent Danen @ http://linsec.ca/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux