[ARIN-consult] Consultation on Prohibiting Attachments on ARIN Mailing Lists

Wed Apr 25 04:08:00 EDT 2018

On Tue, Apr 24, 2018 at 08:21:36AM -0400, ARIN wrote:
> * Question:?? Should attachments be prohibited on ARIN public
> mailing lists?
> 
> * Question:?? If yes, should this include all ARIN public mailing
> lists, or only select lists?

No and yes. ;)

Having wrestled with this question many times on many technical and
non-technical mailing lists, I have a recommendation.

First, to answer the second question, use the same policy across all
mailing lists.  Doing otherwise will cause user confusion and complicate
maintenance of the Mailman configuration.

Second, to return to the first question, I recommend allowing
(a) only open-format attachments and (b) only those which are
likely to facilitate communication between list members.

(a) rules out proprietary formats like Word, which are a problem
in any event because so many mail systems treat them as possible
malware vehicles (which they are) on both a technical and administrative
level.  I've observed situations where operation A will allow its
users to emit mail traffic with proprietary attachments, but will
reject/quarantine those very mail messages when they're relayed back
to the same users at operation A via a mailing list.

And of course proprietary formats have all sorts of other issues,
including lack of backward compatibility -- which is not just an
issue for archives.

(b) rules attachments in/out based on what makes the list work.  It might
include pdf, djvu, ps for documents and pl, py, sh for scripts, for
example.  It's entirely a judgment call based on what the list-owner
and list members think is necessary/desirable.  Mailman makes it
easy to configure this via pass_mime_types and pass_filename_extensions
but it's probably worth noting that it believes what it sees.

I think allowing attachments is preferred over directing list members
to third-party sites because (1) it makes the list and its archives
self-contained (2) it avoids the myriad problems with third-party
sites (3) which include the possibly-unpleasant consequences of
repurposed/redirected/defunct third-party sites and (4) it avoids
making list members do a lot of extra work when all they want to
do is share a 30-line Python script that accomplishes some simple task.

I also think it's the responsibility of anyone participating in any
public mailing list to equip themselves with a mail service, a mail
client, and an operating system suitable for participation.  In other
words, people who choose to run junk software on junk operating systems
should not be shielded from the consequences of those choices to the
detriment of others who have chosen more wisely.

---rsk