I want to make you aware of a potential privacy problem in Mailman's Hyperkitty. Under the upcoming EU General Data Protection Regulation (GDPR)1, which will be in force as of 2018-05-25, it is illegal to transmit data to third parties without a right to do so. Without going into the details, the inclusion of third party services into one's website is usually deemed such a transmission, and unless one has explicit consent of the user (e.g., by an optional (!), unticked ticking box) this is normally illegal (if one targets EU users).
The GDPR does not affect private and family use (Art. 2(2)(c) GDPR), but the exact reach of that clause is yet to be determined; it certainly does not exclude company use of Mailman.
I've found it's possible to disable the social login providers quite easily (we had this discussion here on the mailinglist recently), but I don't see an option to disable Gravatar. If there is one, please enlighten me, but anyway I want to propose this as a feature request against Hyperkitty. A GDPR-compliant implementation of Gravatar in Mailman would look like this:
I'm not saying Gravatar tracks people and sells the information gathered, though I have doubts on how Automattic makes money with the service. I'm just outlining the legal duties under the upcoming GDPR for service owners, which are independant of how Automattic processes the data in this specific case.
Please don't dismiss this as some side feature not needed. The fines that can be imposed on service owners due to violation of the GDPR are very high (up to 20,000,000 € [that's 20 million euros, really]).
-- Blog: https://www.guelkerdev.de PGP/GPG ID: F1D8799FBCC8BC4F