On Fri, 2005-07-29 at 00:44, "Martin v. Löwis" wrote: > - assignment of passwords. This I don't like about the current > pydotorg setup - there should be a way to chose your own password; > perhaps without involving an administrator. > I could imagine a web form for password change, and administrator > interaction in case of a lost password.
I disagree. By reserving password generation to the pydotorg admins, we can better insure the passwords are more robust against dictionary attacks. See my previous message. I actually /don't/ want individuals to be able to set their own passwords. In practice, you only have to know your password once, because svn caches the authentication (yes, that opens up opportunities for compromise, but that's how svn works). > - compromised passwords. The only tricky question then is: was the > repository altered? Fortunately, for Subversion, there should be > an easy way to tell: in fsfs, files never change (only new files > are added). So we could generate md5sums of all files in the > repository, and download these to an offsite place. If the md5sum > of an immutable file changes, we were compromised (there are, > of course, a few files that do change regularly). > Of course, we also need regular backups of the entire data > so we can restore them if they got compromised. +1 to all that. -Barry
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
