| >| Can we make sure that this is ONLY done over https connections please
| >| otherwise it is sending clear text passwords over the wire.
| >I understand the reason but shouldn't it be enforced by the server
| >rather than the client?
| The client starts the conversation not the server.
|
| The client should know not to attempt to do authentication that will
| expose clear text credentials over the wire if it didn't make an https
| connection. Most web browsers have a config option for this and warn
| you when you attempt to do so the first time.
Other programs like webdav or svn do not follow this approach. Since
webdav is a standard and has gone through some review, and what it does
is very similar to what pkg does too (on a meta level atleast -) it is a
convention we can/should follow.
(we should perhaps look at supporting webdav as an interface too)
More over browsers dont do that for basic auth (at least firefox opera
and IE dont.) what they do is to _warn_ you when you try to send username
and password in the _url_. The reasoning for that is, url is directly
visible in the access logs of the webservers and is persistent for quite
a long time. And the access logs (or the data from them) may be published
with out cleanup by the administrators. This is very different from the
scenario for basic auth.
| >| Why is this hand coded rather than using urllib2.HTTPBasicAuthHandler ?
| >| It would be nice to also see HTTPDigestAuthHandler supported added too.
| >| Sample code is on page 503 of the Python in an Nutshell book.
| >
| >Thanks I will modify it to use HTTPBasicAuthHandler
| >
| >| Also is it going to ask for creds for every package being sent or just
| >| once ?
| >
| >The current way yes, It is a prototype though for getting to know which
| >of the options were preferable.
|
| I'd rather that wasn't the case but....
|
| >| It would be very helpful to be able to read the creds from a file (NOT
| >| as CLI arguments or environment variables for the password, the username
| >| can be a cli argument or in the URL).
| >
| >I will update with a new implementation soon.
|
| doing that mitigates the above significantly.
|
| --
| Darren J Moffat
---~*~---
rahul
--
1. e4 _
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
