Re: [eclipse.org-architecture-council] Auto-generated emails containing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received

From: Nikhil Nanivadekar <nikhilnanivadekar@xxxxxxxxx>
Date: Mon, 8 Dec 2025 08:48:14 -0600
Delivered-to: eclipse.org-architecture-council@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse.org-architecture-council/>
List-help: <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council>, <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse.org-architecture-council>, <mailto:eclipse.org-architecture-council-request@eclipse.org?subject=unsubscribe>

Explicitly adding Wayne and Mike for awareness.

I am surprised that this is acceptable from a security standpoint. I wish I had known about this bug which the foundation has accepted as a feature. To be clear, it is not a random password rather a password with which you can take an action, even if it is just to subscribe or unsubscribe from a mailing list. This has reduced my trust to 0 in the security practices of the foundation.

Correct me if I am wrong, my understanding is that there will be no effort to do anything about it. If that is the case, I’ll cascade it to the Amazon representatives to ensure they are aware of it because Amazon is a member company and it’s my responsibility to surface security violations.

Thanks,

Nikhil.

On Mon, Dec 8, 2025 at 8:33 AM Eclipse Infrastructure <infrastructure@xxxxxxxxxxxxxxxxxxxxxx> wrote:

As Christoph already pointed out this is a known(22+ years) behavior in the software that runs our mailing lists.

To be clear the password sent is not your Eclipse.org account password(Mailman has no access to that), but rather a per-list auto-generated one that could be used in the past to access some Mailman features. Most of those features were disabled/blocked years ago to prevent them from being used as a source of potential abuse.

We have no plans to modify the Mailman codebase to 'correct' this since you can't really do anything with this password making the risk very low.

-Matt.

On Sun, Dec 7, 2025 at 10:10 AM Nikhil Nanivadekar <nikhilnanivadekar@xxxxxxxxx> wrote:
Hi Technology PMC owners, EMO,

I received an email to confirm my subscription to Technology PMC distribution list. This email is highly insecure because it contains my password in plain text.

Can you please prioritize fixing the emails sent such that they don’t contain passwords in plain text?

Honestly, I was a bit shocked and I am worried about the security and privacy controls to keep our account safe.

Architecture council, EMO,

What is the mechanism to request a verification that such incidents are handled promptly and systematic fixes are applied?

Thanks,
Nikhil.

Follow-Ups:
- Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received
  - From: Christoph Läubrich
- Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received
  - From: Mikael Barbero

References:
- [eclipse.org-architecture-council] Auto-generated emails containing secure information received
  - From: Nikhil Nanivadekar

Prev by Date: Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received
Next by Date: Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received
Previous by thread: Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received
Next by thread: Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received
Index(es):
- Date
- Thread

Breadcrumbs