Oh, that's not what I'm +1 for then. I specifically mean that passwords are never held in any .ini file, but instead in a separate password file that contains nothing but passwords, and never plaintext passwords either. It is updated with a script which takes username and password, crunches it, and writes it to the file. I used 'htpasswd' as shorthand for all of the above but clearly was too terse, sorry.
I quite like your proposal too, though, where only bootstrapping (database_dir, etc) are in config and the rest can be read from a special _config database (thus eliminating any manual alterations from outside _config). B. On 17 August 2011 12:29, Noah Slater <nsla...@apache.org> wrote: > > On 16 Aug 2011, at 23:07, Robert Newson wrote: > >> nice idea to have a separate htpasswd (-like) file. Passwords are >> special, let's treat them accordingly. > > Just to clarify. > > The proposal you're commenting on only suggest a separate password script > that generates hashes which are then put into the regular ini files.