[Png-mng-security] png-mng-security list compromised
Bob Friesenhahn
bfriesen at simple.dallas.tx.us
Tue Aug 7 18:15:16 UTC 2007
On Tue, 7 Aug 2007, John Bowler wrote:
> From: Bob Friesenhahn
>> If the archives are disabled, then archiving needs to
>> be done via our own mailboxes.
>
> I do this for all mailing lists I am subscribed too. So far as I can
> see archives are primarily useful to people *not* subscribed to a list,
> so in this case I suggest the message archives should either not exist
> or not be available to anyone lacking some appropriately secure
> password.
Disabling and removing the archives is easy to do.
> I seems to me that knowledge of existence of the list, where it is and
> what it is called, should not, itself, be a security issue. Posting to
> the list is, I assume, only possible for people subscribed to it (not
> that this prevents more directed spam, since many of our email addresses
> are well known and can easily be forged.)
The list is hosted on a system which has been running without (known)
compromise for many years. Most services are disabled on it. OS
security patches are recent. There is a daily versioned backup of the
mailing list server files.
If we must continually change the mailing list name in order to keep
it private, then the word may not get out in time (or to the right
people) when there is a serious compromise.
Bob
======================================
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
More information about the png-mng-security-archive
mailing list