On 15 Aug 2011, at 18:32, Jan Lehnardt wrote: > 1. Write admin = password to local.ini > 2. Restart CouchDB > 3. Hash gets persisted to generated.ini > 4. Plain text password remains in local.ini
Which one of these steps is the problem? 4? What would you have happen in place of that? That the plain text password be removed? Could we not simply leave that up to the admin to remove it from the config? What if it is needed again at some point? If I put my plain text password in a config file that I had edited by hand on a server, I would not expect it to be removed by the software. If I was concerned about saving the plain text password in the first place, I would hope that the software in question would come with an interactive prompt that would ask me for my password and write the hash out to the file for me.
