emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
* Gmane readers - please subscribe
@ 2010-04-26  6:19 Carsten Dominik
  2010-04-26 20:43 ` Mikael Fornius
  2010-04-27  0:16 ` Ben Finney
  0 siblings, 2 replies; 14+ messages in thread
From: Carsten Dominik @ 2010-04-26  6:19 UTC (permalink / raw)
  To: Emacs-orgmode mailing list


If you are reading emacs-orgmode.org through gmane, please read this  
new FAQ to help take load off the maintainers.

http://orgmode.org/worg/org-faq.php#ml-subscription-and-gmane

Thanks

- Carsten

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Gmane readers - please subscribe
  2010-04-26  6:19 Gmane readers - please subscribe Carsten Dominik
@ 2010-04-26 20:43 ` Mikael Fornius
  2010-04-27  0:16 ` Ben Finney
  1 sibling, 0 replies; 14+ messages in thread
From: Mikael Fornius @ 2010-04-26 20:43 UTC (permalink / raw)
  To: Carsten Dominik; +Cc: Emacs-orgmode mailing list


Thanks Carsten for this good advice!

I already use the setup with gmane and a mail list subscription without
mail delivery and it works great.


A tip:

To easily(?) subscribe to the list and set the option to note receive
mail.

1. Send a subscription request to the lists request-address.

--8<---------------cut here---------------start------------->8---
To: emacs-orgmode-request@gnu.org
Subject: subscribe
--8<---------------cut here---------------end--------------->8---

2. Receive confirmation mail.

3. Send back confirmation code.

--8<---------------cut here---------------start------------->8---
To: emacs-orgmode-request@gnu.org
Subject: confirm xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--8<---------------cut here---------------end--------------->8---

4. Receive welcome message and password.

5. Send delivery setting.

--8<---------------cut here---------------start------------->8---
To: emacs-orgmode-request@gnu.org
Subject:
set authenticate <received password>
set delivery off
--8<---------------cut here---------------end--------------->8---

6. Receive results, DONE! :-)

Of course you can do it in the web interface also...
   
/mfo (one of the listadmins)

-- 
Mikael Fornius

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Gmane readers - please subscribe
  2010-04-26  6:19 Gmane readers - please subscribe Carsten Dominik
  2010-04-26 20:43 ` Mikael Fornius
@ 2010-04-27  0:16 ` Ben Finney
  2010-04-27  2:14   ` Tyler Smith
  1 sibling, 1 reply; 14+ messages in thread
From: Ben Finney @ 2010-04-27  0:16 UTC (permalink / raw)
  To: emacs-orgmode

Carsten Dominik <carsten.dominik@gmail.com> writes:

> If you are reading emacs-orgmode.org through gmane, please read this
> new FAQ to help take load off the maintainers.
>
> http://orgmode.org/worg/org-faq.php#ml-subscription-and-gmane

A large part of my reason for reading via Gmane is to avoid yet another
set of authentication credentials. Especially one that I never use;
that's a security nightmare waiting to happen. So I'm not interested in
increasing my security exposure by making a Mailman account on yet
another site.

While I appreciate that administrators would prefer that Gmane readers
subscribe, I think their chosen mailing list administration system is
not helping their cause. (No, I don't have a better one to suggest.)

-- 
 \     “As we enjoy great advantages from the inventions of others, we |
  `\      should be glad to serve others by any invention of ours; and |
_o__)     this we should do freely and generously.” —Benjamin Franklin |
Ben Finney

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Gmane readers - please subscribe
  2010-04-27  0:16 ` Ben Finney
@ 2010-04-27  2:14   ` Tyler Smith
  2010-04-27 10:02     ` Ben Finney
  0 siblings, 1 reply; 14+ messages in thread
From: Tyler Smith @ 2010-04-27  2:14 UTC (permalink / raw)
  To: emacs-orgmode

Ben Finney <ben+emacs@benfinney.id.au> writes:

> Carsten Dominik <carsten.dominik@gmail.com> writes:
>
>> If you are reading emacs-orgmode.org through gmane, please read this
>> new FAQ to help take load off the maintainers.
>>
>> http://orgmode.org/worg/org-faq.php#ml-subscription-and-gmane
>
> A large part of my reason for reading via Gmane is to avoid yet another
> set of authentication credentials. Especially one that I never use;
> that's a security nightmare waiting to happen. So I'm not interested in
> increasing my security exposure by making a Mailman account on yet
> another site.

Yikes! What nightmare awaits those of us who've foolishly gone ahead and
subscribed? What's my exposure, beyond some nefarious cracker
impersonating me on emacs-orgmode?

Tyler

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Gmane readers - please subscribe
  2010-04-27  2:14   ` Tyler Smith
@ 2010-04-27 10:02     ` Ben Finney
  2010-04-27 12:04       ` Sebastian Rose
                         ` (5 more replies)
  0 siblings, 6 replies; 14+ messages in thread
From: Ben Finney @ 2010-04-27 10:02 UTC (permalink / raw)
  To: emacs-orgmode

Tyler Smith <tyler.smith@eku.edu> writes:

> Ben Finney <ben+emacs@benfinney.id.au> writes:
>
> > A large part of my reason for reading via Gmane is to avoid yet
> > another set of authentication credentials. Especially one that I
> > never use; that's a security nightmare waiting to happen. So I'm not
> > interested in increasing my security exposure by making a Mailman
> > account on yet another site.
>
> Yikes! What nightmare awaits those of us who've foolishly gone ahead
> and subscribed? What's my exposure, beyond some nefarious cracker
> impersonating me on emacs-orgmode?

The assumption here is that logging into the mailing list account is
something done infrequently to never for any given user. That's
certainly the case for just about any list I've subscribed to.

For an infrequently-to-never used passphrase, one of two things is the
case: either it's unique, or it is identical to the passphrase that
accesses some other set of services for the user.

Since it's an infrequently-to-never accessed service, it's an
unreasonable burden to expect the user to maintain unique passphrases
for every such service. If for this list, why not for every such list?

So what usually ends up happening is they're identical for a given
person across many different services. But the more that's the case, the
greater the exposure: any one of those services could manage their
security poorly, or simply be unlucky enough to attract a bored and/or
motivated cracker; and a compromise on any one of them removes any
expectation of security on any of the rest of the services where the
user has the same passphrase.

The sensible policy, therefore, is to cull the proliferation of such
passphrase-requiring infrequently-to-never-accessed accounts. Which, in
turn, means saying a polite “no thank you” to most requests to set up
new accounts.

-- 
 \        “The greatest tragedy in mankind's entire history may be the |
  `\       hijacking of morality by religion.” —Arthur C. Clarke, 1991 |
_o__)                                                                  |
Ben Finney

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Re: Gmane readers - please subscribe
  2010-04-27 10:02     ` Ben Finney
@ 2010-04-27 12:04       ` Sebastian Rose
  2010-04-27 13:51         ` Ben Finney
  2010-04-27 13:15       ` Tyler Smith
                         ` (4 subsequent siblings)
  5 siblings, 1 reply; 14+ messages in thread
From: Sebastian Rose @ 2010-04-27 12:04 UTC (permalink / raw)
  To: Ben Finney; +Cc: emacs-orgmode

Ben Finney <ben+emacs@benfinney.id.au> writes:
> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?


It's easy to maintain unique passphrases, and to create them. There's
enough software out there. I use my own litty tool, which runs on
windows and Linux (I have no mac to compile wxWidgets stuff there...).

There's a portable app out somewhere... google ...

  http://portableapps.com/apps/utilities/keepass_portable



  Sebastian

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Gmane readers - please subscribe
  2010-04-27 10:02     ` Ben Finney
  2010-04-27 12:04       ` Sebastian Rose
@ 2010-04-27 13:15       ` Tyler Smith
  2010-04-27 13:16       ` Tim Landscheidt
                         ` (3 subsequent siblings)
  5 siblings, 0 replies; 14+ messages in thread
From: Tyler Smith @ 2010-04-27 13:15 UTC (permalink / raw)
  To: emacs-orgmode

Ben Finney <ben+emacs@benfinney.id.au> writes:

> Tyler Smith <tyler.smith@eku.edu> writes:
>
>> Ben Finney <ben+emacs@benfinney.id.au> writes:
>>
>> > A large part of my reason for reading via Gmane is to avoid yet
>> > another set of authentication credentials. Especially one that I
>> > never use; that's a security nightmare waiting to happen. So I'm not
>> > interested in increasing my security exposure by making a Mailman
>> > account on yet another site.
>>
>> Yikes! What nightmare awaits those of us who've foolishly gone ahead
>> and subscribed? What's my exposure, beyond some nefarious cracker
>> impersonating me on emacs-orgmode?
>
> The assumption here is that logging into the mailing list account is
> something done infrequently to never for any given user. That's
> certainly the case for just about any list I've subscribed to.
>
> For an infrequently-to-never used passphrase, one of two things is the
> case: either it's unique, or it is identical to the passphrase that
> accesses some other set of services for the user.
>
> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?

You know, Firefox stores passwords automatically nowadays. Like a lot of
people, I have many 'disposable' accounts with unique passwords, which
are stored in Firefox. I signed up for org-mode yesterday, and if I ever
need to log in again the password is stored in my Firefox profile. I
don't know about other browsers, but there was exactly one extra click
required for this to happen - "do you want Firefox to remember this
password?". So I have to disagree about the unreasonableness of the
burden here.


Tyler

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Gmane readers - please subscribe
  2010-04-27 10:02     ` Ben Finney
  2010-04-27 12:04       ` Sebastian Rose
  2010-04-27 13:15       ` Tyler Smith
@ 2010-04-27 13:16       ` Tim Landscheidt
  2010-04-27 14:05       ` Nick Dokos
                         ` (2 subsequent siblings)
  5 siblings, 0 replies; 14+ messages in thread
From: Tim Landscheidt @ 2010-04-27 13:16 UTC (permalink / raw)
  To: emacs-orgmode

Ben Finney <ben+emacs@benfinney.id.au> wrote:

>> > A large part of my reason for reading via Gmane is to avoid yet
>> > another set of authentication credentials. Especially one that I
>> > never use; that's a security nightmare waiting to happen. So I'm not
>> > interested in increasing my security exposure by making a Mailman
>> > account on yet another site.

>> Yikes! What nightmare awaits those of us who've foolishly gone ahead
>> and subscribed? What's my exposure, beyond some nefarious cracker
>> impersonating me on emacs-orgmode?

> The assumption here is that logging into the mailing list account is
> something done infrequently to never for any given user. That's
> certainly the case for just about any list I've subscribed to.

> For an infrequently-to-never used passphrase, one of two things is the
> case: either it's unique, or it is identical to the passphrase that
> accesses some other set of services for the user.

> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?

> So what usually ends up happening is they're identical for a given
> person across many different services. But the more that's the case, the
> greater the exposure: any one of those services could manage their
> security poorly, or simply be unlucky enough to attract a bored and/or
> motivated cracker; and a compromise on any one of them removes any
> expectation of security on any of the rest of the services where the
> user has the same passphrase.

> The sensible policy, therefore, is to cull the proliferation of such
> passphrase-requiring infrequently-to-never-accessed accounts. Which, in
> turn, means saying a polite “no thank you” to most requests to set up
> new accounts.

The common policy, however, is that you subscribe to the
mailing list with the defaults, use the automatically gener-
ated password to set the "account" to "no mail" and never
bother again. Some mailing lists will send you a reminder of
your "account"'s subscriptions once a month, some not even
that. And should you really ever need to access your "ac-
count"'s configuration, you can always use the "lost pass-
word" link.

Tim

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Gmane readers - please subscribe
  2010-04-27 12:04       ` Sebastian Rose
@ 2010-04-27 13:51         ` Ben Finney
  2010-04-27 18:22           ` Manish Sharma
  0 siblings, 1 reply; 14+ messages in thread
From: Ben Finney @ 2010-04-27 13:51 UTC (permalink / raw)
  To: emacs-orgmode

Sebastian Rose <sebastian_rose@gmx.de> writes:

> Ben Finney <ben+emacs@benfinney.id.au> writes:
> > Since it's an infrequently-to-never accessed service, it's an
> > unreasonable burden to expect the user to maintain unique
> > passphrases for every such service. If for this list, why not for
> > every such list?
>
> It's easy to maintain unique passphrases, and to create them.

Having done so for many accounts and using many different systems for
doing so, I can assure you that it's easier and more reliable to just
avoid creating such accounts where possible.

-- 
 \        “I don't accept the currently fashionable assertion that any |
  `\       view is automatically as worthy of respect as any equal and |
_o__)                                   opposite view.” —Douglas Adams |
Ben Finney

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Re: Gmane readers - please subscribe
  2010-04-27 10:02     ` Ben Finney
                         ` (2 preceding siblings ...)
  2010-04-27 13:16       ` Tim Landscheidt
@ 2010-04-27 14:05       ` Nick Dokos
  2010-04-27 15:28       ` Andreas Burtzlaff
  2010-04-27 15:51       ` Sebastian Rose
  5 siblings, 0 replies; 14+ messages in thread
From: Nick Dokos @ 2010-04-27 14:05 UTC (permalink / raw)
  To: Ben Finney; +Cc: nicholas.dokos, emacs-orgmode

Ben Finney <ben+emacs@benfinney.id.au> wrote:

> Tyler Smith <tyler.smith@eku.edu> writes:
> 
> > Ben Finney <ben+emacs@benfinney.id.au> writes:
> >
> > > A large part of my reason for reading via Gmane is to avoid yet
> > > another set of authentication credentials. Especially one that I
> > > never use; that's a security nightmare waiting to happen. So I'm not
> > > interested in increasing my security exposure by making a Mailman
> > > account on yet another site.
> >
> > Yikes! What nightmare awaits those of us who've foolishly gone ahead
> > and subscribed? What's my exposure, beyond some nefarious cracker
> > impersonating me on emacs-orgmode?
> 
> The assumption here is that logging into the mailing list account is
> something done infrequently to never for any given user. That's
> certainly the case for just about any list I've subscribed to.
> 
> For an infrequently-to-never used passphrase, one of two things is the
> case: either it's unique, or it is identical to the passphrase that
> accesses some other set of services for the user.
> 
> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?
> 

Why not indeed? See below.

> So what usually ends up happening is they're identical for a given
> person across many different services. But the more that's the case, the
> greater the exposure: any one of those services could manage their
> security poorly, or simply be unlucky enough to attract a bored and/or
> motivated cracker; and a compromise on any one of them removes any
> expectation of security on any of the rest of the services where the
> user has the same passphrase.
> 
> The sensible policy, therefore, is to cull the proliferation of such
> passphrase-requiring infrequently-to-never-accessed accounts. Which, in
> turn, means saying a polite “no thank you” to most requests to set up
> new accounts.
> 

It seems to me that another sensible policy is to generate a random
password, set it and forget it. If I ever need it, I use the password
reminder mechanism. The policy has the advantage of reducing the load on
the administrators.  The disadvantage is that I have to wait a few
minutes before I can make changes. I'm perfectly willing to make that
trade-off.

The most serious problem with this approach is how to generate a
password that obeys whatever stupid (and in many cases, undocumented)
restrictions the program designer imposes on acceptable passwords.
Witn mailman, you can let *it* generate the password.

There may be other problems of course that I have not thought about. I
also sympathize with your point of view[1]: there are many cases where
I *have* to have another password and it drives me up the wall, but in
this one case, I really don't mind.

Nick

[1] For mailman in particular, Jamie Zawinski published an essay
    entitled "Mailman considered harmful", attacking the mailman
    password policy (among other things):

        http://www.jwz.org/doc/mailman.html

    Barry Warsaw's rebuttal is here:

        http://www.gnu.org/software/mailman/jwzrebuttal.html
    

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Re: Gmane readers - please subscribe
  2010-04-27 10:02     ` Ben Finney
                         ` (3 preceding siblings ...)
  2010-04-27 14:05       ` Nick Dokos
@ 2010-04-27 15:28       ` Andreas Burtzlaff
  2010-04-27 15:51       ` Sebastian Rose
  5 siblings, 0 replies; 14+ messages in thread
From: Andreas Burtzlaff @ 2010-04-27 15:28 UTC (permalink / raw)
  To: Ben Finney; +Cc: emacs-orgmode

On Tue, 27 Apr 2010 20:02:50 +1000
Ben Finney <ben+emacs@benfinney.id.au> wrote:

> [...]
> For an infrequently-to-never used passphrase, one of two things is the
> case: either it's unique, or it is identical to the passphrase that
> accesses some other set of services for the user.
> 
> Since it's an infrequently-to-never accessed service, it's an
> unreasonable burden to expect the user to maintain unique passphrases
> for every such service. If for this list, why not for every such list?

An idea to generate unique passwords for different services is to take
the first N characters of the hash of a string that is the
concatenation of the domain name and a master password.
I have a page on my site that does just that in javascript.
No need to maintain anything.
Frequently used passwords are stored in firefox or occasionally even in
my head.

The equivalent bash command I use for the orgmode list is:

echo -n "<masterpassword>lists.gnu.org" | md5sum | awk '{print substr ($1,0,7)}'

Andreas 

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Re: Gmane readers - please subscribe
  2010-04-27 10:02     ` Ben Finney
                         ` (4 preceding siblings ...)
  2010-04-27 15:28       ` Andreas Burtzlaff
@ 2010-04-27 15:51       ` Sebastian Rose
  2010-04-27 22:53         ` Ben Finney
  5 siblings, 1 reply; 14+ messages in thread
From: Sebastian Rose @ 2010-04-27 15:51 UTC (permalink / raw)
  To: Ben Finney; +Cc: emacs-orgmode


> The sensible policy, therefore, is to cull the proliferation of such
> passphrase-requiring infrequently-to-never-accessed accounts. Which, in
> turn, means saying a polite “no thank you” to most requests to set up
> new accounts.


OK - there _must_ be a missunderstanding...


The sensible thing in world full of unsubscribed people is to _not_ run
such a system like this at all. It simply wouldn't work in such a
spam-free way.


How do you suppose mails of unsubscribed users get here?
Is it the work of some anonymous maintainers on gmane.org, he?

No! It is the work of people on this list - those who volunteered to
read mails of unsubscribed users, filter out spam and forward the rest,
so they could possibly find help on this list.

Every day heroes, that even dare to have an account with a password :)
and, seriously now, do a real great job!


We all post via "reply all" to support unsubscribed users. They (you?)
couldn't discuss in realtime otherwise.





Sorry


  Sebastian

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Gmane readers - please subscribe
  2010-04-27 13:51         ` Ben Finney
@ 2010-04-27 18:22           ` Manish Sharma
  0 siblings, 0 replies; 14+ messages in thread
From: Manish Sharma @ 2010-04-27 18:22 UTC (permalink / raw)
  To: emacs-orgmode

Ben Finney <ben+emacs@benfinney.id.au> writes:

> Sebastian Rose <sebastian_rose@gmx.de> writes:
>
>> Ben Finney <ben+emacs@benfinney.id.au> writes:
>> > Since it's an infrequently-to-never accessed service, it's an
>> > unreasonable burden to expect the user to maintain unique
>> > passphrases for every such service. If for this list, why not for
>> > every such list?
>>
>> It's easy to maintain unique passphrases, and to create them.
>
> Having done so for many accounts and using many different systems for
> doing so, I can assure you that it's easier and more reliable to just
> avoid creating such accounts where possible.

Other have already made some excellent suggestions.  About multiple
system issue: you could look at a web based password manager like
passpack.com or such.

Regards
-- 
Manish

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Gmane readers - please subscribe
  2010-04-27 15:51       ` Sebastian Rose
@ 2010-04-27 22:53         ` Ben Finney
  0 siblings, 0 replies; 14+ messages in thread
From: Ben Finney @ 2010-04-27 22:53 UTC (permalink / raw)
  To: emacs-orgmode

Sebastian Rose <sebastian_rose@gmx.de> writes:

> OK - there _must_ be a missunderstanding...

Quite probably. But I don't wish to make further noise about a topic
most here likely don't care much about, so I will try to make this my
last message in this thread unless new information comes to light.

> We all post via "reply all" to support unsubscribed users. They (you?)
> couldn't discuss in realtime otherwise.

In fact, many people in this thread have *not* done that, and I've read
every message sent to the forum just fine. Gmane allows an NNTP
interface to the forum; that's pretty much the point for me. If you are
sending an extra copy to me specifically, please don't; it doesn't help.


As for the many suggestions to set up authentication tokens that lie
dormant: I have explained my position on proliferation of authentication
tokens, and some people have understood. That's good enough for now.
Let's get back to Org-mode discussions :-)

-- 
 \         “Dad always thought laughter was the best medicine, which I |
  `\    guess is why several of us died of tuberculosis.” —Jack Handey |
_o__)                                                                  |
Ben Finney

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2010-04-27 22:53 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-26  6:19 Gmane readers - please subscribe Carsten Dominik
2010-04-26 20:43 ` Mikael Fornius
2010-04-27  0:16 ` Ben Finney
2010-04-27  2:14   ` Tyler Smith
2010-04-27 10:02     ` Ben Finney
2010-04-27 12:04       ` Sebastian Rose
2010-04-27 13:51         ` Ben Finney
2010-04-27 18:22           ` Manish Sharma
2010-04-27 13:15       ` Tyler Smith
2010-04-27 13:16       ` Tim Landscheidt
2010-04-27 14:05       ` Nick Dokos
2010-04-27 15:28       ` Andreas Burtzlaff
2010-04-27 15:51       ` Sebastian Rose
2010-04-27 22:53         ` Ben Finney

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).