Merge lp:~jimpop/mailman/security-logging into lp:mailman/2.1

Here's a patch that logs security related events (failed logins, etc).

There are a couple of issues.

First, there is currently a log entry in mischief for an options page login failure, but only with private rosters. If we are going to be logging auth failures in a new security log, the options failure should be logged there too and unconditionally.

Second, the Changes to the owner notifications to add

text = "%s\nReason: %s" % (text, whence)

to the owner notifications for subscribe and unsubscribe are problematic. whence is not a 'Reason' and there is no i18n for 'Reason'

It would be better to just add whence as an additional replacement in the templates.

Finally, I don't see the need for this in the owner notices at all. This info is already in the subscribe log which I think is a better place for it.

Thanks Mark,

The auth failure is now always logged to security in options.py, and the mischief log entry remains as was (logging only if private roster).

The only reason I put the whence in the owner notification emails is so that it is crystal clear to all the admins and moderators why a subscriber was added or removed, i.e. "bin/remove_member", "email confirmation", "web confirmation". It keeps a large mod team informed, as well as saving mods from having to ask "why was this person removed?". etc. I like the idea of integrating it in the templates, so I've removed it from this merge and I'll do a new merge request for that piece (and you can decide on that at that time).

I added a NEWS item and fixed a few small issues.

Thanks for the contribution.

On 6/10/18 4:02 PM, Jim Popovitch wrote:
>
> The only reason I put the whence in the owner notification emails is so that it is crystal clear to all the admins and moderators why a subscriber was added or removed, i.e. "bin/remove_member", "email confirmation", "web confirmation". It keeps a large mod team informed, as well as saving mods from having to ask "why was this person removed?". etc. I like the idea of integrating it in the templates, so I've removed it from this merge and I'll do a new merge request for that piece (and you can decide on that at that time).

I was confused. I forgot that whence was those things in these cases. I
was focused on its being an IP address. No that I realize what it is, I
think it's fine to add it to the notice, but making it a replacement for
the templates is the way to go.

--
Mark Sapiro <email address hidden> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

I've gone ahead and created the new branch for the whence templates. The chief problem for me at this point is making sure that the placement of $(whence) is grammatically correct in each template.

https://code.launchpad.net/~jimpop/mailman/owner-notification-whence

On 6/11/18 5:23 PM, Jim Popovitch wrote:
> I've gone ahead and created the new branch for the whence templates. The chief problem for me at this point is making sure that the placement of $(whence) is grammatically correct in each template.
>
> https://code.launchpad.net/~jimpop/mailman/owner-notification-whence

I understand the issue, and I wouldn't worry about it.

I'd say only do the 'en' templates and I'll post to mailman-i18n that
templates need to be updated to take advantage of this. There's no
problem if the template doesn't have %(whence)s in it.

My concerns are:

the 'en' adminsubscribeack.txt template adds a %(method)s replacement
and that doesn't seem to be provided.

There is no 'en' (or other) adminunsubscribeack.txt template.

--
Mark Sapiro <email address hidden> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

Thanks for pointing that out. I've re-pushed a complete new branch
with just the changes for the 2 "en" templates and MailList.py.

I left the branch as "Development" status (as opposed to Mature) for
now, and sent you a merge request.

Thanks!!

-Jim P.