On 11/05/2012 05:04 PM, Engle, Perry wrote: > Hello – It’s been happening for a while, but it’s really (really) time > to end storing clear text passwords in the database. It’s **LONG** past > time to send them in email to your users. > > > > If you’d like proof, go to > > > > http://plaintextoffenders.com/submit > > And > > http://krebsonsecurity.com/2012/06/naming-and-shaming-the-plaintext-offenders/ > > > > Of all places, Fedora and Red Hat should be leading this charge. Hi Perry. Thanks for your email. We are currently working on an initiative called "Hyperkitty", which is a rewrite of the Mailman3 Archiver code. Part of this initiative (a very small part) includes the removal of plain-text passwords. For more information about this project, please see: http://aurelien.bompard.org/post/2012/10/17/Progress-on-HyperKitty Additionally, back in March, we disabled user password settings as much as possible in the existing Mailman 2 environments: http://smoogespace.blogspot.com/2012/04/mailman-passwords-how-fedora-it-is.html While mailman still sends a clear-text password back to the user upon request, it is a throw-away password. If there are other areas where you believe we are handling passwords insecurely, please point them out to us. Thanks again, Tom Callaway Fedora Engineering Manager == Fedora Project -- websites mailing list websites@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/websites
