[Python-Dev] PEP: Migrating the Python CVS to Subversion (original) (raw)
Barry Warsaw barry at python.org
Fri Jul 29 23:54:15 CEST 2005
- Previous message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Next message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 2005-07-29 at 01:00, "Martin v. Löwis" wrote:
Barry Warsaw wrote: > We won't use plain text, but we may (or, we currently do) use basic auth > over ssl. The security then is in the passwords, so we have to make > sure they're generated securely.
That (sort of) is plain text passwords. Somebody who took over svn.python.org can get the password. In public-key or digest authentication, this won't be possible.
Actually, the passwords are still hashed in the file, so they wouldn't be able to extract the plain text password. They definitely are vulnerable to brute force attack, though probably not to a dictionary attack. In practice I've been using a password generated based on os.urandom() -- we generate the password and get it to the Subversion user via a "secure route" . I'd be happy to share my password generation script with anybody who wants to audit it.
Public/private keys would be better, and if anybody knows how to set up a Subversion server to use these without having to create accounts for everyone, I think we (the pythong.org admins) would love your help.
-Barry
-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://mail.python.org/pipermail/python-dev/attachments/20050729/cbed3ca0/attachment.pgp
- Previous message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Next message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]