Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received
Thanks a million Mikael! I really appreciate the push to raise the security bar.

Regards,
Nikhil. 

On Fri, Apr 10, 2026 at 12:27 PM Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Dear all,

Following up on this thread and the concerns raised by Nikhil and Matthias.

First, I want to acknowledge that Nikhil was right to flag this. Regardless of the practical exploitability, sending passwords in plain text in emails is not aligned with the security posture we want to maintain at the Eclipse Foundation. We should have addressed this sooner, and I appreciate the push to do so.

I'm happy to report that this is now resolved. Specifically:

- All Mailman passwords stored in the database have been rotated. They are now long useless random strings.
- Subscription acknowledgement emails will no longer include passwords.
- Password reminder emails will no longer send passwords either.

These changes are effective immediately across all Eclipse Foundation mailing lists.

As a reminder, these Mailman passwords were always auto-generated, per-list credentials, entirely separate from Eclipse.org account passwords. And as Matt and Christoph pointed out, virtually all Mailman features that could have used them had already been disabled. That said, the principle stands: credentials should not travel in plain text, full stop.

Nikhil, thank you for raising this. This is the kind of vigilance that makes our community stronger.

Kind regards,

Mikaël Barbero 
Head of Security | Eclipse Foundation
Eclipse Foundation: The Community for Open Collaboration and Innovation



On 8 Dec 2025 at 16:49:44, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
> I am surprised that this is acceptable from a security standpoint. I
> wish I had known about this bug which the foundation has accepted as a
> feature. To be clear, it is /not/ a random password rather a password
> with which you /can/ take an action

it might be send to you under some circumstances but apart of that you
can do absolutely NOTHING with that as all functions are DISABLED (or I
haven't found a way how):

- list settings: Http 404
- list help: mail address unknown
- subscribe/unsubscribe: only possible through Eclipse website with
completely different login.

> Correct me if I am wrong

If you think anything can be done with the password you should probably
give a hint (maybe with direct mail) what exact function you are
concerned about, I would even not mind sharing one of my mailinglist
passwords with someone who want to show anything "malicious" can
actually done with that... I'm open for experiments!


Am 08.12.25 um 15:48 schrieb Nikhil Nanivadekar via
eclipse.org-architecture-council:
/Explicitly adding Wayne and Mike for awareness./

I am surprised that this is acceptable from a security standpoint. I
wish I had known about this bug which the foundation has accepted as a
feature. To be clear, it is /not/ a random password rather a password
with which you /can/ take an action, even if it is just to subscribe or
unsubscribe from a mailing list. This has reduced my trust to 0 in the
security practices of the foundation.

Correct me if I am wrong, my understanding is that there will be no
effort to do anything about it. If that is the case, I’ll cascade it to
the Amazon representatives to ensure they are aware of it because Amazon
is a member company and it’s my responsibility to surface security
violations.

Thanks,
Nikhil.


On Mon, Dec 8, 2025 at 8:33 AM Eclipse Infrastructure
<infrastructure@xxxxxxxxxxxxxxxxxxxxxx <mailto:infrastructure@eclipse-
foundation.org>> wrote:

    As Christoph already pointed out this is a known(22+ years) behavior
    in the software that runs our mailing lists.

    To be clear the password sent is not your Eclipse.org account
    password(Mailman has no access to that), but rather a per-list auto-
    generated one that could be used in the past to access some Mailman
    features.   Most of those features were disabled/blocked years ago
    to prevent them from being used as a source of potential abuse.

    We have no plans to modify the Mailman codebase to 'correct' this
    since you can't really do anything with this password making the
    risk very low.

    -Matt.

    On Sun, Dec 7, 2025 at 10:10 AM Nikhil Nanivadekar
    <nikhilnanivadekar@xxxxxxxxx <mailto:nikhilnanivadekar@xxxxxxxxx>>
    wrote:

        Hi Technology PMC owners, EMO,

        I received an email to confirm my subscription to Technology PMC
        distribution list. This email is highly insecure because it
        contains my password in plain text.

        Can you please prioritize fixing the emails sent such that they
        don’t contain passwords in plain text?

        Honestly, I was a bit shocked and I am worried about the
        security and privacy controls to keep our account safe.

        Architecture council, EMO,

        What is the mechanism to request a verification that such
        incidents are handled promptly and systematic fixes are applied?

        Thanks,
        Nikhil.



_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council

Back to the top