On Fri, 21 Aug 2009, Todd Zullinger wrote: > This should generate a bit stronger passwords than the previous code, > which encoded the passwords as hex, limiting the characters in the > password to the set [0-9a-f]. > --- > > The mailman_server class is only included on collab[12] and hosted1, > so it isn't actually affected by the current freeze policy. But I > still wanted to float this by the list for comments and review. > > The current fedora-mailing-list-setup script creates a list password > using: > > file('/dev/urandom', 'r').read(4).encode('hex') > > This seems to be a good bit weaker than it needs to be. Unless > someone has better alternatives for creating decent list passwords, I > suggest we take advantage of Mailman.Utils.Secure_MakeRandomPassword() > from mailman. The Secure_MakeRandomPassword() code is in: > > /usr/lib/mailman/Mailman/Utils.py > > configs/mailman/fedora-mailing-list-setup | 2 +- > modules/mailman/files/fedora-mailing-list-setup | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/configs/mailman/fedora-mailing-list-setup b/configs/mailman/fedora-mailing-list-setup > index 8ccdda7..80b2c58 100755 > --- a/configs/mailman/fedora-mailing-list-setup > +++ b/configs/mailman/fedora-mailing-list-setup > @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): > host_name = mm_cfg.DEFAULT_EMAIL_HOST > web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost > > - listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') > + listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) > > mlist = MailList.MailList() > try: > diff --git a/modules/mailman/files/fedora-mailing-list-setup b/modules/mailman/files/fedora-mailing-list-setup > index 7d5dcd3..bf10b81 100755 > --- a/modules/mailman/files/fedora-mailing-list-setup > +++ b/modules/mailman/files/fedora-mailing-list-setup > @@ -62,7 +62,7 @@ def create_list(listname, owner_mail): > host_name = mm_cfg.DEFAULT_EMAIL_HOST > web_page_url = mm_cfg.DEFAULT_URL_PATTERN % urlhost > > - listpasswd = file('/dev/urandom', 'r').read(4).encode('hex') > + listpasswd = Utils.Secure_MakeRandomPassword(mm_cfg.ADMIN_PASSWORD_LENGTH) > > mlist = MailList.MailList() > try: > -- > 1.6.4 > I'm fine with this patch but I can't pretend I know that it's going to work, my mailman foo is pretty weak. But since the revert seems easy enough. +1 -Mike _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list