[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received
|
Just because mailman works like this doesn’t mean we need to be ok with it. I am certainly not ok with emails containing passwords in plaintext. In 2025, there has to be a better secure way.
Maybe it is unusual, I think this is how mailman (they software behind
the mailing lists) work see this documentation here:
https://www.gnu.org/software/mailman/mailman-member/node15.html
> Warning: Do NOT use a valuable password for Mailman, since it can be
sent in plain text to you.
On the other hand one can not do much with this password and if someone
can read your emails you probably have a much bigger problem than
someone changing some of your mailman settings.
Apart from that mailing list feel like some ancient thing from the past
anyways, in platfrom/tycho/m2e/... we have mostly migrated to github
discussions that much better serve our needs (e.g. searching, no extra
accounts required, option to unsubscribe from topics,...) and only uses
it for the "official" parts (e.g. announcing of releases).
Am 08.12.25 um 01:53 schrieb Sohn, Matthias via
eclipse.org-architecture-council:
> I also received such an email from technology-pmc-request@xxxxxxxxxxx
> stating that emails from the technology-pmc list to my gmail account
> bounced. This email includes a password in plain text. The mailing list
> membership page mentioned in the email
> https://www.eclipse.org/mailman/options/technology-pmc/ <https://
> www.eclipse.org/mailman/options/technology-pmc/
> matthias.sohn%40gmail.com><my email address url encoded>
> responds "404 Not found".
>
> cc-ing Mikael leading the Eclipse foundation's security team.
>
> *From: *eclipse.org-architecture-council <eclipse.org-architecture-
> council-bounces@xxxxxxxxxxx> on behalf of Nikhil Nanivadekar via
> eclipse.org-architecture-council <eclipse.org-architecture-
> council@xxxxxxxxxxx>
> *Date: *Sunday, 7. December 2025 at 16:10
> *To: *technology-pmc-owner@xxxxxxxxxxx <technology-pmc-owner@xxxxxxxxxxx>
> *Cc: *Nikhil Nanivadekar <nikhilnanivadekar@xxxxxxxxx>, eclipse.org-
> architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx>
> *Subject: *[eclipse.org-architecture-council] Auto-generated emails
> containing secure information received
>
> Hi Technology PMC owners, EMO,
>
> I received an email to confirm my subscription to Technology PMC
> distribution list. This email is highly insecure because it contains my
> password in plain text.
>
> Can you please prioritize fixing the emails sent such that they don’t
> contain passwords in plain text?
>
> Honestly, I was a bit shocked and I am worried about the security and
> privacy controls to keep our account safe.
>
> Architecture council, EMO,
>
> What is the mechanism to request a verification that such incidents are
> handled promptly and systematic fixes are applied?
>
> Thanks,
> Nikhil.
>
>
>
> _______________________________________________
> eclipse.org-architecture-council mailing list
> eclipse.org-architecture-council@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
