rahul wrote: > | Can we make sure that this is ONLY done over https connections please > | otherwise it is sending clear text passwords over the wire. > > I understand the reason but shouldn't it be enforced by the server > rather than the client?
The client starts the conversation not the server. The client should know not to attempt to do authentication that will expose clear text credentials over the wire if it didn't make an https connection. Most web browsers have a config option for this and warn you when you attempt to do so the first time. > | Why is this hand coded rather than using urllib2.HTTPBasicAuthHandler ? > | It would be nice to also see HTTPDigestAuthHandler supported added too. > | Sample code is on page 503 of the Python in an Nutshell book. > > Thanks I will modify it to use HTTPBasicAuthHandler > > | Also is it going to ask for creds for every package being sent or just > | once ? > > The current way yes, It is a prototype though for getting to know which > of the options were preferable. I'd rather that wasn't the case but.... > | It would be very helpful to be able to read the creds from a file (NOT > | as CLI arguments or environment variables for the password, the username > | can be a cli argument or in the URL). > > I will update with a new implementation soon. doing that mitigates the above significantly. -- Darren J Moffat _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
