#5030 fedmsg for private mailman3 lists
Closed: Fixed None Opened 6 years ago by ralph.

Some metadata (but not the message bodies) of emails to private mailman3 lists gets leaked to the public due to the fedmsg plugin:

What, if anything, should we do about this?

  • We could leave it as-is, since the message bodies aren't being published, it is to some degree still private.
  • We could patch the fedmsg plugin to somehow(tm) check if the list is private, and decide not to send the message.
  • Other ideas?

In an ideal world here we could query mailman and find out if the list was private (or have a cached list of those lists) and also who was subscribed, and only send fedmsgs to people who are subscribed.

But that seems pretty complex/slow.

Perhaps first we should ask abompard what we could query? We can't reach the REST api, it's only localhost on mailman01 I think.

This came up again in ticket 5258.

So, is there a way to tell if a list is private? Or can we just at least have a config list of them that we update from time to time?

As, as mentioned in #5258, we actually do have a config list of them that we can update from time to time. There's a patch for it in #5258. The list is kept here: https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/mailman/files/fedmsg-plugin-conf.py

And there's a comment in the code here that explains it some: https://github.com/fedora-infra/mailman3-fedmsg-plugin/blob/develop/mailman3_fedmsg_plugin.py#L31-L36

Adding a list name to that excluded_lists value would result in publishing no fedmsg messages for activity on those lists which is close to what we want (even if we still have to maintain that list).

oh, my mistake. I misread that as the fedmsg irc plugin for some reason. OOps.

Yeah, I can add that list and look at adding some others... will look at filing a freeze break.

ok, sent in freeze break. I added several other lists.

There's likely no way to tell what lists are needed to be added, so I think we should just add them as requested.

Thanks all for looking into this :)

Pushed live. ;)

Thanks for the initial patch decause!

If anyone sees any other lists we should add, please open a new ticket for them...

Login to comment on this ticket.