[Python-Dev] PEP: Migrating the Python CVS to Subversion
Barry Warsaw
barry at python.org
Fri Jul 29 23:54:15 CEST 2005
On Fri, 2005-07-29 at 01:00, "Martin v. Löwis" wrote:
> Barry Warsaw wrote:
> > We won't use plain text, but we may (or, we currently do) use basic auth
> > over ssl. The security then is in the passwords, so we have to make
> > sure they're generated securely.
>
> That (sort of) *is* plain text passwords. Somebody who took over
> svn.python.org can get the password. In public-key or digest
> authentication, this won't be possible.
Actually, the passwords are still hashed in the file, so they wouldn't
be able to extract the plain text password. They definitely are
vulnerable to brute force attack, though probably not to a dictionary
attack. In practice I've been using a password generated based on
os.urandom() -- we generate the password and get it to the Subversion
user via a "secure route" <heh>. I'd be happy to share my password
generation script with anybody who wants to audit it.
Public/private keys would be better, and if anybody knows how to set up
a Subversion server to use these without having to create accounts for
everyone, I think we (the pythong.org admins) would love your help.
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.python.org/pipermail/python-dev/attachments/20050729/cbed3ca0/attachment.pgp
More information about the Python-Dev
mailing list