On 23/08/15 21:13, Peter Stadler wrote:

Methinks this is kinda insecure with the GitHub account posting to a public mailing list. Anyone could request a password reset, grab the link from the public archive and log us out — or am I missing something?!

I believe you are missing something. The 'primary email' of the account is still set to one of mine. It is merely the council list which is set as a notification email for repositories belonging to the TEIC github organisation. However, to add that email it had to send a verification email, and then I only changed the primary email afterwards. It is worth a test though... feel free to try to request the password be changed as we'll see if it comes through on the list or to my private email. (And obviously, since I've given out the password to a couple other council members they could go in and change its primary email if I ever don't want to be involved any more.)

On second thought, I think it’s better to have everyone subscribed to notifications individually rather than spamming the list. IMHO, the problem with e.g. Stuart’s pull request is not an issue of noticing it, but of proper knowledge and protocol, as Martin already pointed out.

I think the latter is true certainly. I still think it is worth experimenting with and seeing if this does cause problems. (Personally my tei-council emails and my github emails go to completely different accounts and folders....I'd just choose to read them here rather than there probably.) -James -- Dr James Cummings, James.Cummings@it.ox.ac.uk Academic IT Services, University of Oxford

Bugger. That seems to be precisely opposite to what github claims: "Your primary GitHub email address will be used for account-related notifications (e.g. account changes and billing receipts) as well as any web-based GitHub operations (e.g. edits and merges)." And currently james+teitechnicalcouncil at my google apps domains is what is set as the primary. I'd only set the tei-council list as the email for notifications. Currently it seems to send it to *both* email addresses on the list, not just the primary one. That is annoying. As you will have seen by now I've reset the password thus invalidating the token. -James On 24/08/15 17:11, Peter Stadler wrote:

Hmm, you probably noticed that I just tried to reset the password. And the link can be found at http://lists.tei-c.org/pipermail/tei-council/2015/021486.html (But I haven’t tried changing it.)

Cheers Peter

...

Am 24.08.2015 um 00:36 schrieb James Cummings :

On 23/08/15 21:13, Peter Stadler wrote:

...

Methinks this is kinda insecure with the GitHub account posting to a public mailing list. Anyone could request a password reset, grab the link from the public archive and log us out — or am I missing something?! I believe you are missing something. The 'primary email' of the account is still set to one of mine. It is merely the council list which is set as a notification email for repositories belonging to the TEIC github organisation. However, to add that email it had to send a verification email, and then I only changed the primary email afterwards. It is worth a test though... feel free to try to request the password be changed as we'll see if it comes through on the list or to my private email. (And obviously, since I've given out the password to a couple other council members they could go in and change its primary email if I ever don't want to be involved any more.)

...

On second thought, I think it’s better to have everyone subscribed to notifications individually rather than spamming the list. IMHO, the problem with e.g. Stuart’s pull request is not an issue of noticing it, but of proper knowledge and protocol, as Martin already pointed out. I think the latter is true certainly. I still think it is worth experimenting with and seeing if this does cause problems. (Personally my tei-council emails and my github emails go to completely different accounts and folders....I'd just choose to read them here rather than there probably.)

-James

-- Dr James Cummings, James.Cummings@it.ox.ac.uk Academic IT Services, University of Oxford -- tei-council mailing list tei-council@lists.tei-c.org http://lists.lists.tei-c.org/mailman/listinfo/tei-council

PLEASE NOTE: postings to this list are publicly archived

-- Dr James Cummings, James.Cummings@it.ox.ac.uk Academic IT Services, University of Oxford

Temporarily enabled two-factor authentication...just in case. The other option is, as you suggest, we forward it to an account which then forwards onto tei-council automatically but not things like password change requests, etc. I could do that with the gmail account it is going to at the moment... but maybe Peter is right and we should just get rid of it. Seemed like an easy solution but if it is going to cause more hassle than nought.... Maybe I should delete the account then? -James On 24/08/15 18:44, Hugh Cayless wrote:

I bet if you use the email address to sign in and then ask for a reset, the password change email will go there no matter what. So Peter is right. It’s a security hole the way it’s set up. Not sure there’s a good way around this that doesn’t involve complex email forwarding schemes...

...

On Aug 24, 2015, at 13:18 , James Cummings wrote:

Bugger. That seems to be precisely opposite to what github claims:

"Your primary GitHub email address will be used for account-related notifications (e.g. account changes and billing receipts) as well as any web-based GitHub operations (e.g. edits and merges)."

And currently james+teitechnicalcouncil at my google apps domains is what is set as the primary. I'd only set the tei-council list as the email for notifications.

Currently it seems to send it to *both* email addresses on the list, not just the primary one.

That is annoying.

As you will have seen by now I've reset the password thus invalidating the token.

-James

On 24/08/15 17:11, Peter Stadler wrote:

...

Hmm, you probably noticed that I just tried to reset the password. And the link can be found at http://lists.tei-c.org/pipermail/tei-council/2015/021486.html (But I haven’t tried changing it.)

Cheers Peter

...

Am 24.08.2015 um 00:36 schrieb James Cummings :

On 23/08/15 21:13, Peter Stadler wrote:

...

Methinks this is kinda insecure with the GitHub account posting to a public mailing list. Anyone could request a password reset, grab the link from the public archive and log us out — or am I missing something?! I believe you are missing something. The 'primary email' of the account is still set to one of mine. It is merely the council list which is set as a notification email for repositories belonging to the TEIC github organisation. However, to add that email it had to send a verification email, and then I only changed the primary email afterwards. It is worth a test though... feel free to try to request the password be changed as we'll see if it comes through on the list or to my private email. (And obviously, since I've given out the password to a couple other council members they could go in and change its primary email if I ever don't want to be involved any more.)

...

On second thought, I think it’s better to have everyone subscribed to notifications individually rather than spamming the list. IMHO, the problem with e.g. Stuart’s pull request is not an issue of noticing it, but of proper knowledge and protocol, as Martin already pointed out. I think the latter is true certainly. I still think it is worth experimenting with and seeing if this does cause problems. (Personally my tei-council emails and my github emails go to completely different accounts and folders....I'd just choose to read them here rather than there probably.)

-James

-- Dr James Cummings, James.Cummings@it.ox.ac.uk Academic IT Services, University of Oxford -- tei-council mailing list tei-council@lists.tei-c.org http://lists.lists.tei-c.org/mailman/listinfo/tei-council

PLEASE NOTE: postings to this list are publicly archived

-- Dr James Cummings, James.Cummings@it.ox.ac.uk mailto:James.Cummings@it.ox.ac.uk Academic IT Services, University of Oxford -- tei-council mailing list tei-council@lists.tei-c.org mailto:tei-council@lists.tei-c.org http://lists.lists.tei-c.org/mailman/listinfo/tei-council http://lists.lists.tei-c.org/mailman/listinfo/tei-council

PLEASE NOTE: postings to this list are publicly archived

-- Dr James Cummings, James.Cummings@it.ox.ac.uk Academic IT Services, University of Oxford