Re: [eclipse.org-architecture-council] Auto-generated emails containing

[Christoph Läubrich <laeubi@xxxxxxxxxxxxxx>]

I don't state it is okay, but its certainly not a bug or recent incident 
it is that way since 20 years + (not sure how long EF mailings-list uses 
mailmain) and a documented "feature" and given that since then no known 
incident was reported that makes this change so it seems "save enough" 
for this use-case.

And again, I can't find anything useful you can do with that password 
anyways! The web settings page returns 404 for me, 
subscribing/unsubscribing requires an Eclipse Account login. Trying to 
use the mailing list directly to change my settings (sending "help" to 
<ml>-request@...) returns an error as well...

And I think not only since 2025 there are better ways than mailinglists 
but that's a completely different topic ;-)

Am 08.12.25 um 12:07 schrieb Nikhil Nanivadekar:
> Just because mailman works like this doesn’t mean we need to be ok with 
> it. I am certainly not ok with emails containing passwords in plaintext. 
> In 2025, there has to be a better secure way.
>
>
>
> On Mon, Dec 8, 2025 at 12:15 AM Christoph Läubrich via eclipse.org- 
> architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx 
> <mailto:eclipse.org-architecture-council@xxxxxxxxxxx>> wrote:
>
>     Maybe it is unusual, I think this is how mailman (they software behind
>     the mailing lists) work see this documentation here:
>
>     https://www.gnu.org/software/mailman/mailman-member/node15.html
>     <https://www.gnu.org/software/mailman/mailman-member/node15.html>
>
>       > Warning: Do NOT use a valuable password for Mailman, since it
>     can be
>     sent in plain text to you.
>
>     On the other hand one can not do much with this password and if someone
>     can read your emails you probably have a much bigger problem than
>     someone changing some of your mailman settings.
>
>     Apart from that mailing list feel like some ancient thing from the past
>     anyways, in platfrom/tycho/m2e/... we have mostly migrated to github
>     discussions that much better serve our needs (e.g. searching, no extra
>     accounts required, option to unsubscribe from topics,...) and only uses
>     it for the "official" parts (e.g. announcing of releases).
>
>     Am 08.12.25 um 01:53 schrieb Sohn, Matthias via
>     eclipse.org-architecture-council:
>      > I also received such an email from technology-pmc-
>     request@xxxxxxxxxxx <mailto:technology-pmc-request@xxxxxxxxxxx>
>      > stating that emails from the technology-pmc list to my gmail account
>      > bounced. This email includes a password in plain text. The
>     mailing list
>      > membership page mentioned in the email
>      > https://www.eclipse.org/mailman/options/technology-pmc/ <https://
>     www.eclipse.org/mailman/options/technology-pmc/> <https://
>      > www.eclipse.org/mailman/options/technology-pmc/ <http://
>     www.eclipse.org/mailman/options/technology-pmc/>
>      > matthias.sohn%40gmail.com <http://40gmail.com>><my email address
>     url encoded>
>      > responds "404 Not found".
>      >
>      > cc-ing Mikael leading the Eclipse foundation's security team.
>      >
>      > *From: *eclipse.org-architecture-council <eclipse.org-architecture-
>      > council-bounces@xxxxxxxxxxx <mailto:council-bounces@xxxxxxxxxxx>>
>     on behalf of Nikhil Nanivadekar via
>      > eclipse.org-architecture-council <eclipse.org-architecture-
>      > council@xxxxxxxxxxx <mailto:council@xxxxxxxxxxx>>
>      > *Date: *Sunday, 7. December 2025 at 16:10
>      > *To: *technology-pmc-owner@xxxxxxxxxxx <mailto:technology-pmc-
>     owner@xxxxxxxxxxx> <technology-pmc-owner@xxxxxxxxxxx
>     <mailto:technology-pmc-owner@xxxxxxxxxxx>>
>      > *Cc: *Nikhil Nanivadekar <nikhilnanivadekar@xxxxxxxxx
>     <mailto:nikhilnanivadekar@xxxxxxxxx>>, eclipse.org-
>      > architecture-council <eclipse.org-architecture-
>     council@xxxxxxxxxxx <mailto:eclipse.org-architecture-
>     council@xxxxxxxxxxx>>
>      > *Subject: *[eclipse.org-architecture-council] Auto-generated emails
>      > containing secure information received
>      >
>      > Hi Technology PMC owners, EMO,
>      >
>      > I received an email to confirm my subscription to Technology PMC
>      > distribution list. This email is highly insecure because it
>     contains my
>      > password in plain text.
>      >
>      > Can you please prioritize fixing the emails sent such that they
>     don’t
>      > contain passwords in plain text?
>      >
>      > Honestly, I was a bit shocked and I am worried about the security
>     and
>      > privacy controls to keep our account safe.
>      >
>      > Architecture council, EMO,
>      >
>      > What is the mechanism to request a verification that such
>     incidents are
>      > handled promptly and systematic fixes are applied?
>      >
>      > Thanks,
>      > Nikhil.
>      >
>      >
>      >
>      > _______________________________________________
>      > eclipse.org-architecture-council mailing list
>      > eclipse.org-architecture-council@xxxxxxxxxxx <mailto:eclipse.org-
>     architecture-council@xxxxxxxxxxx>
>      > To unsubscribe from this list, visit https://www.eclipse.org/
>     mailman/listinfo/eclipse.org-architecture-council <https://
>     www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council>
>
>     _______________________________________________
>     eclipse.org-architecture-council mailing list
>     eclipse.org-architecture-council@xxxxxxxxxxx <mailto:eclipse.org-
>     architecture-council@xxxxxxxxxxx>
>     To unsubscribe from this list, visit https://www.eclipse.org/
>     mailman/listinfo/eclipse.org-architecture-council <https://
>     www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council>