Gmane readers - please subscribe

Gmane readers - please subscribe

[Carsten Dominik]

If you are reading emacs-orgmode.org through gmane, please read this  
new FAQ to help take load off the maintainers.

http://orgmode.org/worg/org-faq.php#ml-subscription-and-gmane

Thanks

- Carsten

Re: Gmane readers - please subscribe

[Mikael Fornius]

Thanks Carsten for this good advice!

I already use the setup with gmane and a mail list subscription without
mail delivery and it works great.


A tip:

To easily(?) subscribe to the list and set the option to note receive
mail.

1. Send a subscription request to the lists request-address.

--8<---------------cut here---------------start------------->8---
To: emacs-orgmode-request@gnu.org
Subject: subscribe
--8<---------------cut here---------------end--------------->8---

2. Receive confirmation mail.

3. Send back confirmation code.

--8<---------------cut here---------------start------------->8---
To: emacs-orgmode-request@gnu.org
Subject: confirm xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--8<---------------cut here---------------end--------------->8---

4. Receive welcome message and password.

5. Send delivery setting.

--8<---------------cut here---------------start------------->8---
To: emacs-orgmode-request@gnu.org
Subject:
set authenticate <received password>
set delivery off
--8<---------------cut here---------------end--------------->8---

6. Receive results, DONE! :-)

Of course you can do it in the web interface also...
   
/mfo (one of the listadmins)

-- 
Mikael Fornius

Re: Gmane readers - please subscribe

[Ben Finney]

Carsten Dominik <carsten.dominik@gmail.com> writes:

> If you are reading emacs-orgmode.org through gmane, please read this
> new FAQ to help take load off the maintainers.
>
> http://orgmode.org/worg/org-faq.php#ml-subscription-and-gmane

A large part of my reason for reading via Gmane is to avoid yet another
set of authentication credentials. Especially one that I never use;
that's a security nightmare waiting to happen. So I'm not interested in
increasing my security exposure by making a Mailman account on yet
another site.

While I appreciate that administrators would prefer that Gmane readers
subscribe, I think their chosen mailing list administration system is
not helping their cause. (No, I don't have a better one to suggest.)

-- 
 \     “As we enjoy great advantages from the inventions of others, we |
  `\      should be glad to serve others by any invention of ours; and |
_o__)     this we should do freely and generously.” —Benjamin Franklin |
Ben Finney

Re: Gmane readers - please subscribe

[Tyler Smith]

Ben Finney <ben+emacs@benfinney.id.au> writes:

> Carsten Dominik <carsten.dominik@gmail.com> writes:
>
>> If you are reading emacs-orgmode.org through gmane, please read this
>> new FAQ to help take load off the maintainers.
>>
>> http://orgmode.org/worg/org-faq.php#ml-subscription-and-gmane
>
> A large part of my reason for reading via Gmane is to avoid yet another
> set of authentication credentials. Especially one that I never use;
> that's a security nightmare waiting to happen. So I'm not interested in
> increasing my security exposure by making a Mailman account on yet
> another site.

Yikes! What nightmare awaits those of us who've foolishly gone ahead and
subscribed? What's my exposure, beyond some nefarious cracker
impersonating me on emacs-orgmode?

Tyler

Re: Gmane readers - please subscribe

[Ben Finney]

Tyler Smith <tyler.smith@eku.edu> writes:

> Ben Finney <ben+emacs@benfinney.id.au> writes:
>
> > A large part of my reason for reading via Gmane is to avoid yet
> > another set of authentication credentials. Especially one that I
> > never use; that's a security nightmare waiting to happen. So I'm not
> > interested in increasing my security exposure by making a Mailman
> > account on yet another site.
>
> Yikes! What nightmare awaits those of us who've foolishly gone ahead
> and subscribed? What's my exposure, beyond some nefarious cracker
> impersonating me on emacs-orgmode?

The assumption here is that logging into the mailing list account is
something done infrequently to never for any given user. That's
certainly the case for just about any list I've subscribed to.

For an infrequently-to-never used passphrase, one of two things is the
case: either it's unique, or it is identical to the passphrase that
accesses some other set of services for the user.

Since it's an infrequently-to-never accessed service, it's an
unreasonable burden to expect the user to maintain unique passphrases
for every such service. If for this list, why not for every such list?

So what usually ends up happening is they're identical for a given
person across many different services. But the more that's the case, the
greater the exposure: any one of those services could manage their
security poorly, or simply be unlucky enough to attract a bored and/or
motivated cracker; and a compromise on any one of them removes any
expectation of security on any of the rest of the services where the
user has the same passphrase.

The sensible policy, therefore, is to cull the proliferation of such
passphrase-requiring infrequently-to-never-accessed accounts. Which, in
turn, means saying a polite “no thank you” to most requests to set up
new accounts.

-- 
 \        “The greatest tragedy in mankind's entire history may be the |
  `\       hijacking of morality by religion.” —Arthur C. Clarke, 1991 |
_o__)                                                                  |
Ben Finney

Re: Re: Gmane readers - please subscribe

[Sebastian Rose]

Ben Finney <ben+emacs@benfinney.id.au> writes:
> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?


It's easy to maintain unique passphrases, and to create them. There's
enough software out there. I use my own litty tool, which runs on
windows and Linux (I have no mac to compile wxWidgets stuff there...).

There's a portable app out somewhere... google ...

  http://portableapps.com/apps/utilities/keepass_portable



  Sebastian

Re: Gmane readers - please subscribe

[Tyler Smith]

Ben Finney <ben+emacs@benfinney.id.au> writes:

> Tyler Smith <tyler.smith@eku.edu> writes:
>
>> Ben Finney <ben+emacs@benfinney.id.au> writes:
>>
>> > A large part of my reason for reading via Gmane is to avoid yet
>> > another set of authentication credentials. Especially one that I
>> > never use; that's a security nightmare waiting to happen. So I'm not
>> > interested in increasing my security exposure by making a Mailman
>> > account on yet another site.
>>
>> Yikes! What nightmare awaits those of us who've foolishly gone ahead
>> and subscribed? What's my exposure, beyond some nefarious cracker
>> impersonating me on emacs-orgmode?
>
> The assumption here is that logging into the mailing list account is
> something done infrequently to never for any given user. That's
> certainly the case for just about any list I've subscribed to.
>
> For an infrequently-to-never used passphrase, one of two things is the
> case: either it's unique, or it is identical to the passphrase that
> accesses some other set of services for the user.
>
> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?

You know, Firefox stores passwords automatically nowadays. Like a lot of
people, I have many 'disposable' accounts with unique passwords, which
are stored in Firefox. I signed up for org-mode yesterday, and if I ever
need to log in again the password is stored in my Firefox profile. I
don't know about other browsers, but there was exactly one extra click
required for this to happen - "do you want Firefox to remember this
password?". So I have to disagree about the unreasonableness of the
burden here.


Tyler

Re: Gmane readers - please subscribe

[Tim Landscheidt]

Ben Finney <ben+emacs@benfinney.id.au> wrote:

>> > A large part of my reason for reading via Gmane is to avoid yet
>> > another set of authentication credentials. Especially one that I
>> > never use; that's a security nightmare waiting to happen. So I'm not
>> > interested in increasing my security exposure by making a Mailman
>> > account on yet another site.

>> Yikes! What nightmare awaits those of us who've foolishly gone ahead
>> and subscribed? What's my exposure, beyond some nefarious cracker
>> impersonating me on emacs-orgmode?

> The assumption here is that logging into the mailing list account is
> something done infrequently to never for any given user. That's
> certainly the case for just about any list I've subscribed to.

> For an infrequently-to-never used passphrase, one of two things is the
> case: either it's unique, or it is identical to the passphrase that
> accesses some other set of services for the user.

> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?

> So what usually ends up happening is they're identical for a given
> person across many different services. But the more that's the case, the
> greater the exposure: any one of those services could manage their
> security poorly, or simply be unlucky enough to attract a bored and/or
> motivated cracker; and a compromise on any one of them removes any
> expectation of security on any of the rest of the services where the
> user has the same passphrase.

> The sensible policy, therefore, is to cull the proliferation of such
> passphrase-requiring infrequently-to-never-accessed accounts. Which, in
> turn, means saying a polite “no thank you” to most requests to set up
> new accounts.

The common policy, however, is that you subscribe to the
mailing list with the defaults, use the automatically gener-
ated password to set the "account" to "no mail" and never
bother again. Some mailing lists will send you a reminder of
your "account"'s subscriptions once a month, some not even
that. And should you really ever need to access your "ac-
count"'s configuration, you can always use the "lost pass-
word" link.

Tim

Re: Gmane readers - please subscribe

[Ben Finney]

Sebastian Rose <sebastian_rose@gmx.de> writes:

> Ben Finney <ben+emacs@benfinney.id.au> writes:
> > Since it's an infrequently-to-never accessed service, it's an
> > unreasonable burden to expect the user to maintain unique
> > passphrases for every such service. If for this list, why not for
> > every such list?
>
> It's easy to maintain unique passphrases, and to create them.

Having done so for many accounts and using many different systems for
doing so, I can assure you that it's easier and more reliable to just
avoid creating such accounts where possible.

-- 
 \        “I don't accept the currently fashionable assertion that any |
  `\       view is automatically as worthy of respect as any equal and |
_o__)                                   opposite view.” —Douglas Adams |
Ben Finney

Re: Re: Gmane readers - please subscribe

[Nick Dokos]

Ben Finney <ben+emacs@benfinney.id.au> wrote:

> Tyler Smith <tyler.smith@eku.edu> writes:
> 
> > Ben Finney <ben+emacs@benfinney.id.au> writes:
> >
> > > A large part of my reason for reading via Gmane is to avoid yet
> > > another set of authentication credentials. Especially one that I
> > > never use; that's a security nightmare waiting to happen. So I'm not
> > > interested in increasing my security exposure by making a Mailman
> > > account on yet another site.
> >
> > Yikes! What nightmare awaits those of us who've foolishly gone ahead
> > and subscribed? What's my exposure, beyond some nefarious cracker
> > impersonating me on emacs-orgmode?
> 
> The assumption here is that logging into the mailing list account is
> something done infrequently to never for any given user. That's
> certainly the case for just about any list I've subscribed to.
> 
> For an infrequently-to-never used passphrase, one of two things is the
> case: either it's unique, or it is identical to the passphrase that
> accesses some other set of services for the user.
> 
> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?
> 

Why not indeed? See below.

> So what usually ends up happening is they're identical for a given
> person across many different services. But the more that's the case, the
> greater the exposure: any one of those services could manage their
> security poorly, or simply be unlucky enough to attract a bored and/or
> motivated cracker; and a compromise on any one of them removes any
> expectation of security on any of the rest of the services where the
> user has the same passphrase.
> 
> The sensible policy, therefore, is to cull the proliferation of such
> passphrase-requiring infrequently-to-never-accessed accounts. Which, in
> turn, means saying a polite “no thank you” to most requests to set up
> new accounts.
> 

It seems to me that another sensible policy is to generate a random
password, set it and forget it. If I ever need it, I use the password
reminder mechanism. The policy has the advantage of reducing the load on
the administrators.  The disadvantage is that I have to wait a few
minutes before I can make changes. I'm perfectly willing to make that
trade-off.

The most serious problem with this approach is how to generate a
password that obeys whatever stupid (and in many cases, undocumented)
restrictions the program designer imposes on acceptable passwords.
Witn mailman, you can let *it* generate the password.

There may be other problems of course that I have not thought about. I
also sympathize with your point of view[1]: there are many cases where
I *have* to have another password and it drives me up the wall, but in
this one case, I really don't mind.

Nick

[1] For mailman in particular, Jamie Zawinski published an essay
    entitled "Mailman considered harmful", attacking the mailman
    password policy (among other things):

        http://www.jwz.org/doc/mailman.html

    Barry Warsaw's rebuttal is here:

        http://www.gnu.org/software/mailman/jwzrebuttal.html
    

Re: Re: Gmane readers - please subscribe

[Andreas Burtzlaff]

On Tue, 27 Apr 2010 20:02:50 +1000
Ben Finney <ben+emacs@benfinney.id.au> wrote:

> [...]
> For an infrequently-to-never used passphrase, one of two things is the
> case: either it's unique, or it is identical to the passphrase that
> accesses some other set of services for the user.
> 
> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?

An idea to generate unique passwords for different services is to take
the first N characters of the hash of a string that is the
concatenation of the domain name and a master password.
I have a page on my site that does just that in javascript.
No need to maintain anything.
Frequently used passwords are stored in firefox or occasionally even in
my head.

The equivalent bash command I use for the orgmode list is:

echo -n "<masterpassword>lists.gnu.org" | md5sum | awk '{print substr ($1,0,7)}'

Andreas 

Re: Re: Gmane readers - please subscribe

[Sebastian Rose]

> The sensible policy, therefore, is to cull the proliferation of such
> passphrase-requiring infrequently-to-never-accessed accounts. Which, in
> turn, means saying a polite “no thank you” to most requests to set up
> new accounts.


OK - there _must_ be a missunderstanding...


The sensible thing in world full of unsubscribed people is to _not_ run
such a system like this at all. It simply wouldn't work in such a
spam-free way.


How do you suppose mails of unsubscribed users get here?
Is it the work of some anonymous maintainers on gmane.org, he?

No! It is the work of people on this list - those who volunteered to
read mails of unsubscribed users, filter out spam and forward the rest,
so they could possibly find help on this list.

Every day heroes, that even dare to have an account with a password :)
and, seriously now, do a real great job!


We all post via "reply all" to support unsubscribed users. They (you?)
couldn't discuss in realtime otherwise.





Sorry


  Sebastian

Re: Gmane readers - please subscribe

[Manish Sharma]

Ben Finney <ben+emacs@benfinney.id.au> writes:

> Sebastian Rose <sebastian_rose@gmx.de> writes:
>
>> Ben Finney <ben+emacs@benfinney.id.au> writes:
>> > Since it's an infrequently-to-never accessed service, it's an
>> > unreasonable burden to expect the user to maintain unique
>> > passphrases for every such service. If for this list, why not for
>> > every such list?
>>
>> It's easy to maintain unique passphrases, and to create them.
>
> Having done so for many accounts and using many different systems for
> doing so, I can assure you that it's easier and more reliable to just
> avoid creating such accounts where possible.

Other have already made some excellent suggestions.  About multiple
system issue: you could look at a web based password manager like
passpack.com or such.

Regards
-- 
Manish

Re: Gmane readers - please subscribe

[Ben Finney]

Sebastian Rose <sebastian_rose@gmx.de> writes:

> OK - there _must_ be a missunderstanding...

Quite probably. But I don't wish to make further noise about a topic
most here likely don't care much about, so I will try to make this my
last message in this thread unless new information comes to light.

> We all post via "reply all" to support unsubscribed users. They (you?)
> couldn't discuss in realtime otherwise.

In fact, many people in this thread have *not* done that, and I've read
every message sent to the forum just fine. Gmane allows an NNTP
interface to the forum; that's pretty much the point for me. If you are
sending an extra copy to me specifically, please don't; it doesn't help.


As for the many suggestions to set up authentication tokens that lie
dormant: I have explained my position on proliferation of authentication
tokens, and some people have understood. That's good enough for now.
Let's get back to Org-mode discussions :-)

-- 
 \         “Dad always thought laughter was the best medicine, which I |
  `\    guess is why several of us died of tuberculosis.” —Jack Handey |
_o__)                                                                  |
Ben Finney