Am Sonntag, 4. Februar 2018 00:30:05 UTC+1 schrieb Cédric Krier: > On 2018-02-03 07:48, Axel Braun wrote: > > Am Montag, 29. Januar 2018 23:25:07 UTC+1 schrieb Cédric Krier: > > > On 2018-01-29 12:47, Axel Braun wrote: > > > > I would like to discuss https://bugs.tryton.org/issue5375 with all > > > > developers involved. > > > > > > All developers have already commented on the issue and we all agree that > > > the proposal is wrong, solves nothing and weakens the brute force attack > > > protection. > > > > We had a constructive and friendly discussion about the topic here: > > https://bugzilla.opensuse.org/show_bug.cgi?id=1078111 > > What I read is that more people agree that the applied patch does not > solve any issue and disable the brute force attack protection.
Maybe you should read more carefully: The current implementation in Tryton, that allows you to bring the whole system down by flooding the database with login requests is rubbish (OK, the security team phrased it more politely) > > The advise from the security team should be considered for a future patch. > > But more importantly, the applied patch on the OpenSUSE package must be > removed ASAP to not expose OpenSUSE users of the Tryton package to brute > force attack against their password. Dunno if you have read the link you have posted above (https://www.schneier.com/blog/archives/2009/01/bad_password_se.html) yourself, but the first comment already describes it pretty well. Up to now we have no better patch in place. The proposed patch https://codereview.appspot.com/335550043/ makes thing even worse. > PS: Moreover I think such patched Tryton could not complain with the GDRP[1] > > [1] https://en.wikipedia.org/wiki/General_Data_Protection_Regulation Where exactly? -- You received this message because you are subscribed to the Google Groups "tryton-dev" group. To view this discussion on the web visit https://groups.google.com/d/msgid/tryton-dev/1d16943d-95f3-4fb0-acf3-d306c4c281c0%40googlegroups.com.
