support configuration files that do not have secrets in them (e.g. `webservice.admin_pass`)
currently mailman.cfg
has an admin_pass
variable (and maybe others?) that are high-value, sensitive secrets.
This means that permissions on mailman.cfg
need to be tightly controlled, and that backups of mailman.cfg
need to be kept secret if the authorization is to be defended against illicit use.
A better pattern would be for sensitive variables to read from a separate file (which could be protected), or to have alternate configuration variables that take this approach.
So, in the current config we have:
[webservice]
admin_pass: nGcl60Nu6tY3qwBS3E3QWauNp6VqjDbwkaUnVeeH
but instead, perhaps we could have:
[webservice]
admin_pass: file:/var/lib/mailman3/webservice/adminpass
(this would mean that if admin_pass
started with the prefix file:
it would read the first line from the indicated file and use it as its value).
or, if you don't like the idea of changing the semantics of admin_pass
itself, you could introduce an alternate configuration variable:
[webservice]
admin_pass_file: /var/lib/mailman3/webservice/adminpass
and expect the administrator to have either webservice.admin_pass
or webservice.admin_pass_file
specified.