Staff-Projects/Mailman-EOL

From OWASP
Jump to: navigation, search

Overview

Since very early in OWASP's history, Mailman has been used to facilitate communication between various members of the community. While Mailman has served the community well for years, the decision has been made to migrate from a self-hosted Mailman installation to Google Groups. The migration will allow the community to continue to have an email address to reach a particular segments of the community just like Mailman provides but without the administrative burden of running a server for Mailman. The reasons for this migration were stated at length on the leaders list here but are summarized below in no particular order:

  • Mailman is old software and doesn't follow current security best practices.
    • It sends passwords in the clear which has been repeatedly pointed out by the community for quite some time as noted here.
    • It has a single shared password for overall site administration for the staff to use to oversee the installation
    • If a mail list has 2+ list owners, they must share a password for managing the list
  • Mailman has an extremely dated UI/web interface. This makes OWASP appear out of date/out of touch to new, potential community members
  • Since the Foundation has a very small staff, administering a server takes away staff time from focusing on OWASP's mission / core purpose.
  • The Anti-SPAM gateway service from Barracuda, which was previously donated, is ending on March 24th, 2019.
  • Due to the current climate of increased privacy and the existence of the GDPR, the migration will allow the membership in our lists to be reviewed/audited by the current user base (aka opt-in).
  • Mailman does not get the use it formerly had ~80% of the lists are inactive/dormant/abandoned - some numbers:
    • 875 - total lists prior to initial review/clean-up
    • 181 - lists of the 875 which had at least 1 email to them in the last calendar year
    • 693 - lists with no email posts in over 1 year

In 2017, the current community manager (Tiffany Long) suggested a migration from Mailman to Discourse. This was the original direction of efforts until it was reconsidered at the 2019 Staff Summit, a face to face meeting to plan out 2019. Instead, Mailman will be migrated to Google Groups. The following reasons were crucial in the choice of Google Groups

  • Functionally equivalent to Mailman as a 'mail list'
  • Already part of the G-Suite donation from Google
  • Can be run for $0 cost and with 0 administration of the underlying infrastructure
  • Includes Anti-SPAM filtering that is already part of our G-Suite email infrastructure
  • Inbound and outbound email handled by Google email infrastructure - no need to run a MTA (mail server)
  • Mobile-friendly, modern UI and significantly better TLS configuration for web interactions
  • Has robust admin and permissions available via G-Suite Admin tool

Project Links

Goals

Overall Goal: Migration of any active list from lists.owasp.org to Google Groups by March 24, 2019.

Details:

  • Active is defined as a list which as received at least 1 non-SPAM email in the last 12 months as of 2019-01-29 when initial activity reporting was run
    • Mail lists for inactive projects and chapters will not be migrated
    • Archives on lists.owasp.org will be migrated to a static host under the same URL scheme as before
  • High-level Workflow
    • Announce plan
    • Email notifications of cut-over date
      • Instruct list members to join the new list but continue to post to lists until 2019-03-22
      • 3 notifications will go out to all lists
    • Setup new Google Groups for migrating lists, ordered by most recent post as of this spreadsheet
    • If requested, any list can be migrated prior to the cut-over date by completing this form.
    • Hard cut-over to Google Groups on 2019-03-22
    • 2019-03-24 - Service from Barracuda is disabled & inbound email to lists.owasp.org will fail.

Milestones

  • 2019-01-29 - [Matt] Review the inventory of lists to determine which are inactive - DONE (total lists = 875)
  • 2019-02-12 - [Matt] Use the data above to retire any inactive list - DONE (total lists = 181, 693 inactive lists removed)
  • 2019-02-26 - [Matt] Complete Staff Project Plan - DONE
  • 2019-02-26 - [Matt] Socialize this plan on the leaders list - DONE
  • 2019-02-28 - [Matt] Review remaining list for any that can be retired due to ownership (e.g. owned by staff and unused) or mail in the last calendar year is SPAM - DONE (total lists = 139)
  • 2019-03-01 - [Matt] Send email to all list owners about his plan and an overview of the migration effort - DONE
  • 2019-03-06 - [Matt, Harold, Dawn] Review remaining lists and remove any projects or chapters which are inactive. A new Google Group can be created for chapters/projects that become active again - DONE
  • 2019-03-08 - [Matt] Create Google Groups for all remaining mail lists - DONE
  • 2019-03-08 - [Matt] Send out a reminder to all remaining lists about the transition - DONE
  • 2019-03-15 - [Matt] Send out 2nd reminder to all remaining lists about the transition - DONE
  • 2019-03-19 - [Matt] Send out an additional reminder to all remaining lists about the transition - DONE
  • 2019-03-22 - [Matt] Final notification email sent to all remaining lists - DONE
  • 2019-03-22 - [Matt] Cut over to Google Groups - inbound email to lists.owasp.org set to bounce - DONE
  • 2019-03-24 - [Matt] Turn off Mailman on lists.owasp.org - inbound email to lists.owasp.org will fail - DONE
  • 2019-03-25 - [Matt] Post migration email via MailChimp "inviting to join other lists" and capture non-opt-in - DONE
  • 2019-03-27 - [Matt] Migrate static archives from lists.owasp.org to a new host - DONE
  • 2019-03-27 - [Matt] Remove lists.owasp.org MX records in DNS and update the wiki main menu to point at Google Groups instead of lists.owasp.org - DONE
  • 2019-03-29 - [Matt] Retire lists.owasp.org server at Rackspace - DONE
  • 2019-04-01 - [Harold] Close discourse.owasp.org account - exact date TBD

Communications

The following lists communications where the retirement of Mailman was discussed publicly

Leadership

  • This is a Foundation staff run initiative including
    • Matt Tesauro - primary point of contact
    • Harold Blankenship - staff representation for project mail lists
    • Dawn Aitken - staff representation for chapter mail lists

FAQ

(Q1) My list is no longer showing on mailman and/or emails to it are bouncing back with something like:

reason: 550 permanent failure for one or more recipients (OLD_LIST_NAME@lists.owasp.org:550 5.1.1 <OLD_LIST_NAME@lists.owasp.org>... User unknown

(A1) You list didn't have any email traffic for over 1 calendar year and was archived. If you fill out the form to request early migration to Google Groups, we can re-create that list in Google Groups for you.

(Q2) How do my existing Mailman user join the new Google Group? Do they need to have an Google or @owasp.org account?

(A2) There's several ways to join one of the new Google Groups - they are documented fully here. And you don't have to have a Google account to join our Google Groups.

Other translations of instructions on joining a Google Group at OWASP

(Q3) Do I need to have a Google account, an @owasp.org email or provide my phone number/mobile number to participate in Google Groups at OWASP?

(A3) No, all you need is an email address and you can participate in any of the OWASP Foundation Google Groups. For specifics on how to join a Google Group without a Google or @owasp.org email address, see part 2 of this document - also available in Japanese.