Re: [cpan-questions #32443] Re: rt.cpan.org keeps logging me out.

2016-11-22 Thread Arthur Corliss 

On Tue, 22 Nov 2016, Shlomi Fish wrote:


The problem is that in order to improve the security of my passwords, I
keep them all encrypted using a master password. Firefox has a built-in
feature for that and, if you don't set a master passwords then the
passwords are stored using a relatively easy-to-reverse process which every
process on the local system can use (or at least those running as the local
user). There's some old discussion of it here:

http://catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s09.html

Since my firefox password is non-trivial, entering it to fill in the
rt.cpan.org password whenever I restart firefox, restart my
https://en.wikipedia.org/wiki/X_Window_System or restart the machine (for a
new kernel, glibc, etc.) is quite a hassle. What will make my life more
tolerable would be a browser add-on that will allow me to keep the
rt.cpan.org password (and only that) unencrypted (as I already have it in
"~/.pause" anyway).


Perhaps this is just me, but there seems to be some cognitive dissonance
here.  You've clearly put some thought into the security of your passwords,
yet you're putting less thought into securing a session token?  Or you want
a plugin to bypass the normal browser key store?

Maybe I'm overthinking this.  But, then, I don't trust browsers to begin
with.  I don't want them maintaining any kind of state for me over any
significant length of time.

--Arthur Corliss
  Live Free or Die

Re: [cpan-questions #32443] Re: rt.cpan.org keeps logging me out.

2016-11-22 Thread Alex Muntada 
Shlomi Fish:

> What will make my life more tolerable would be a browser add-on
> that will allow me to keep the rt.cpan.org password (and only
> that) unencrypted (as I already have it in "~/.pause" anyway).

Have you tried to pin the firefox tab once you've logged into
rt.cpan.org? It did work for me: just right click on the tab
and then on Pin:

https://support.mozilla.org/en-US/kb/pinned-tabs-keep-favorite-websites-open

Actually, if I leave the rt.cpan.org window open and quit firefox
(I have it configured to open all my previous tabs) the session
cookie still works when I start firefox again. However, if I close
the tab before restarting, it asks the login password again. So
session cookies seem to persist after restarting if you tell
firefox to remember the current tabs.

Other possible options you have are using one of the several
cookie addons available for firefox to modify the session cookie
and make it persistent, or something like lastpass addon to
remember the passwords that you don't want to store in firefox.

Hope this helps,
Alex

Re: [cpan-questions #32443] Re: rt.cpan.org keeps logging me out.

2016-11-21 Thread Shlomi Fish 
Hi Karen,

On Mon, Nov 21, 2016 at 7:59 PM, Karen Etheridge  wrote:

> What is the big deal in having to log in again? If you save your
> credentials in your browser, it's literally just one more click.
>
>
The problem is that in order to improve the security of my passwords, I
keep them all encrypted using a master password. Firefox has a built-in
feature for that and, if you don't set a master passwords then the
passwords are stored using a relatively easy-to-reverse process which every
process on the local system can use (or at least those running as the local
user). There's some old discussion of it here:

http://catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s09.html

Since my firefox password is non-trivial, entering it to fill in the
rt.cpan.org password whenever I restart firefox, restart my
https://en.wikipedia.org/wiki/X_Window_System or restart the machine (for a
new kernel, glibc, etc.) is quite a hassle. What will make my life more
tolerable would be a browser add-on that will allow me to keep the
rt.cpan.org password (and only that) unencrypted (as I already have it in
"~/.pause" anyway).


> I'd like to thank the RT admins in providing this service free to the Perl
> community; it is really awesome that a bug queue is created automatically
> for every distribution without the authors having to do a single thing to
> set it up.
>

I'd like to thank them too, but having to login time and again is still a
fly in the ointment.

Regards,

-- Shlomi Fish




>
> On Mon, Nov 21, 2016 at 7:45 AM, Shlomi Fish  wrote:
>
>> Hello Shawn,
>>
>> sorry for the late response. I'm CCing module-authors becase you did not
>> explicitly specify that you wish this reply to be kept private.
>>
>> On Fri, Nov 18, 2016 at 5:56 PM, Shawn M Moore via RT <
>> cpan-questi...@bestpractical.com> wrote:
>>
>>> On Fri Nov 18 06:01:48 2016, shlo...@gmail.com wrote:
>>> > Dear rt-cpan-admin
>>>
>>> Hi Shlomi,
>>>
>>> > On Sat, Feb 27, 2016 at 1:00 PM, Shlomi Fish  wrote:
>>> >
>>> > > Dear sirs and madams,
>>> > >
>>> > > thanks for maintaining http://rt.cpan.org/ .
>>> > >
>>> > > There is, however, a long-standing problem with it that the site keeps
>>> > > logging me out (usually after I close my browser), and I keep having to
>>> > > login again. This makes it frustrating to use rt.cpan.org. Please fix it
>>> > > as soon as possible.
>>>
>>> RT uses session cookies (also called transient cookies) which, as you 
>>> describe, usually clear when you close your browser. It's a tradeoff we 
>>> make for security.
>>>
>>> I see. That sounds like a very bad trade off in this day and age,
>> because people often need to reboot for new kernel / new libc / system
>> update / etc. or they need to restart their browsers because they either
>> crashed or started consuming too much RAM (and as you may know - browsers
>> like Firefox or GChromium have recently become memory hogs).
>>
>> I suppose I can convert to use GitHub Issues / GitLab Issues / Bitbucket
>> Issues / etc. - at least for my own CPAN distributions - but this will
>> involve a lot of manual tweaking and uploading new versions. Perhaps it
>> will be the last straw for creating my own Dist Zilla PluginBundle.
>>
>> Regards,
>>
>> -- Shlomi Fish
>>
>>
>>
>>> > > Regards,
>>> > >
>>> > > -- Shlomi Fish
>>>
>>> Best,
>>> Shawn
>>>
>>>
>>
>>
>> --
>> Shlomi Fish http://www.shlomifish.org/
>>
>> You can never truly appreciate The Gilmore Girls until you've watched it
>> in the original Klingon.
>>
>> Please reply to list if it's a mailing list post - http://shlom.in/reply
>> .
>>
>
>


-- 
Shlomi Fish http://www.shlomifish.org/

You can never truly appreciate The Gilmore Girls until you've watched it in
the original Klingon.

Please reply to list if it's a mailing list post - http://shlom.in/reply .

Re: [cpan-questions #32443] Re: rt.cpan.org keeps logging me out.

2016-11-21 Thread Karen Etheridge 
What is the big deal in having to log in again? If you save your
credentials in your browser, it's literally just one more click.

I'd like to thank the RT admins in providing this service free to the Perl
community; it is really awesome that a bug queue is created automatically
for every distribution without the authors having to do a single thing to
set it up.

On Mon, Nov 21, 2016 at 7:45 AM, Shlomi Fish  wrote:

> Hello Shawn,
>
> sorry for the late response. I'm CCing module-authors becase you did not
> explicitly specify that you wish this reply to be kept private.
>
> On Fri, Nov 18, 2016 at 5:56 PM, Shawn M Moore via RT <
> cpan-questi...@bestpractical.com> wrote:
>
>> On Fri Nov 18 06:01:48 2016, shlo...@gmail.com wrote:
>> > Dear rt-cpan-admin
>>
>> Hi Shlomi,
>>
>> > On Sat, Feb 27, 2016 at 1:00 PM, Shlomi Fish  wrote:
>> >
>> > > Dear sirs and madams,
>> > >
>> > > thanks for maintaining http://rt.cpan.org/ .
>> > >
>> > > There is, however, a long-standing problem with it that the site keeps
>> > > logging me out (usually after I close my browser), and I keep having to
>> > > login again. This makes it frustrating to use rt.cpan.org. Please fix it
>> > > as soon as possible.
>>
>> RT uses session cookies (also called transient cookies) which, as you 
>> describe, usually clear when you close your browser. It's a tradeoff we make 
>> for security.
>>
>> I see. That sounds like a very bad trade off in this day and age, because
> people often need to reboot for new kernel / new libc / system update /
> etc. or they need to restart their browsers because they either crashed or
> started consuming too much RAM (and as you may know - browsers like Firefox
> or GChromium have recently become memory hogs).
>
> I suppose I can convert to use GitHub Issues / GitLab Issues / Bitbucket
> Issues / etc. - at least for my own CPAN distributions - but this will
> involve a lot of manual tweaking and uploading new versions. Perhaps it
> will be the last straw for creating my own Dist Zilla PluginBundle.
>
> Regards,
>
> -- Shlomi Fish
>
>
>
>> > > Regards,
>> > >
>> > > -- Shlomi Fish
>>
>> Best,
>> Shawn
>>
>>
>
>
> --
> Shlomi Fish http://www.shlomifish.org/
>
> You can never truly appreciate The Gilmore Girls until you've watched it
> in the original Klingon.
>
> Please reply to list if it's a mailing list post - http://shlom.in/reply .
>

Re: [cpan-questions #32443] Re: rt.cpan.org keeps logging me out.

2016-11-21 Thread Shlomi Fish 
Hello Shawn,

sorry for the late response. I'm CCing module-authors becase you did not
explicitly specify that you wish this reply to be kept private.

On Fri, Nov 18, 2016 at 5:56 PM, Shawn M Moore via RT <
cpan-questi...@bestpractical.com> wrote:

> On Fri Nov 18 06:01:48 2016, shlo...@gmail.com wrote:
> > Dear rt-cpan-admin
>
> Hi Shlomi,
>
> > On Sat, Feb 27, 2016 at 1:00 PM, Shlomi Fish  wrote:
> >
> > > Dear sirs and madams,
> > >
> > > thanks for maintaining http://rt.cpan.org/ .
> > >
> > > There is, however, a long-standing problem with it that the site keeps
> > > logging me out (usually after I close my browser), and I keep having to
> > > login again. This makes it frustrating to use rt.cpan.org. Please fix it
> > > as soon as possible.
>
> RT uses session cookies (also called transient cookies) which, as you 
> describe, usually clear when you close your browser. It's a tradeoff we make 
> for security.
>
> I see. That sounds like a very bad trade off in this day and age, because
people often need to reboot for new kernel / new libc / system update /
etc. or they need to restart their browsers because they either crashed or
started consuming too much RAM (and as you may know - browsers like Firefox
or GChromium have recently become memory hogs).

I suppose I can convert to use GitHub Issues / GitLab Issues / Bitbucket
Issues / etc. - at least for my own CPAN distributions - but this will
involve a lot of manual tweaking and uploading new versions. Perhaps it
will be the last straw for creating my own Dist Zilla PluginBundle.

Regards,

-- Shlomi Fish



>
> > > Regards,
> > >
> > > -- Shlomi Fish
>
> Best,
> Shawn
>
>


-- 
Shlomi Fish http://www.shlomifish.org/

You can never truly appreciate The Gilmore Girls until you've watched it in
the original Klingon.

Please reply to list if it's a mailing list post - http://shlom.in/reply .