Re: CPAN::Forum
On Fri, Feb 04, 2005 at 02:40:09AM +0200, Gabor Szabo wrote: On Wed, 2 Feb 2005, Nicholas Clark wrote: The same hack as rt.cpan.org uses - attempt a login on pause.cpan.org using the ID and password provided. If PAUSE accepts it, then you know it's the real thing. That would mean my server if cracked could be used to collect PAUSE passwords. I am not sure I'd like to have that responsibility. No, because you don't keep passwords. You do the auth back to PAUSE as you need it, and then merely record in your site's state that you did it. Nicholas Clark
RE: CPAN::Forum
The same hack as rt.cpan.org uses - attempt a login on pause.cpan.org using the ID and password provided. If PAUSE accepts it, then you know it's the real thing. That would mean my server if cracked could be used to collect PAUSE passwords. I am not sure I'd like to have that responsibility. No, because you don't keep passwords. You do the auth back to PAUSE as you need it, and then merely record in your site's state that you did it. I thought a special forum for discussing modules should be used not by authors themselves who have CPAN ID, but with any module users who want to discuss module properties. So, in my opinion, no CPAN authentification should happen. Best regards, Vadim (VKON)
Can I edit my posts on CPAN::Forum to (hopefully) improve them?
subj TIA, VKON
Re: CPAN::Forum
Nicholas Clark wrote: The same hack as rt.cpan.org uses - attempt a login on pause.cpan.org using the ID and password provided. If PAUSE accepts it, then you know it's the real thing. That would mean my server if cracked could be used to collect PAUSE passwords. I am not sure I'd like to have that responsibility. No, because you don't keep passwords. You do the auth back to PAUSE as you need it, and then merely record in your site's state that you did it. That missed the point. If his server was hacked, an attacker could change his software to record PAUSE passwords instead of discard them. I'm not sure if it can be done, but maybe login ID's could done with an email address rather than a nickname. That would allow module authors to clearly use their cpan email address for identity (with a password that is unique to cpanforums). Then, for example, nicknames could be set/changed by the user, and maybe to flag actual authors, only allow an all-caps nickname if it matches /(\w+)@cpan.org/ or something like that. David Golden