-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bryan Hoffpauir wrote: > Micah, I noticed you posted your announcement on your new job - > congratulations! I certainly hope you are able to sort out the > issues surrounding the code and your ability to participate.
I'm pretty sure it'll all work out (I sure hope!), but in the meantime I'm stuck with having to refrain from coding from the 17th, until it's resolved. > I'm interested in learning more about assisting with maintaining. > I'm not that experienced in this side of the OSS world, so I couldn't > offer to take over maintaining, but I'm open to assisting and > learning more. Excellent! Help is definitely very much appreciated. > I'd like to use my current issue to get my feet wet with this > process. You mentioned in your earlier post on the list that you > thought some recent changes you had pushed through to make sure wget > didn't issue cleartext authentication unless it received a challenge > to do so may be the culprit. > > I would be happy to assist troubleshooting. I don't have a NTLM > server that is available to the public right now. If needed, I may > be able to set one up. > > Alternatively, if you could give me some details on your thoughts > about the cleartext changes that may have affected it and what might > correct it, I could compile and test the changes in my lab and share > the results with you. Okay. One of the first things I was struck by when I took on the maintainer's mantle for Wget was that it always issues cleartext-recoverable, HTTP Basic authentication without waiting for a challenge, which if you're not running in a secure tunnel (SSL) is a security problem (and in violation of current RFCs). I actually mentioned this issue first in my "New wget maintainer" announcement, in June of 2007: http://article.gmane.org/gmane.comp.web.wget.general/6692; most of the rest of the thread related to that was renamed "Basic auth by default". I later followed this with a post entitled "HTTP Auth: Past, Present & Future": http://article.gmane.org/gmane.comp.web.wget.general/6861 The "How it should work" section is still not quite finished yet, though Julien Buty did some good work in that direction (Wget _does_ now support password "asking" at the terminal). My hope was to have that section implemented for 1.12, but I may decide to punt it for 1.13, so we can polish the current implementation some more. The authentication fixes for 1.11 are at http://hg.addictivecode.org/wget/mainline/rev/963e690d3041 A further change was introduced at http://hg.addictivecode.org/wget/mainline/rev/cff5d917155e to allow the old behavior to be used when needed. I suspect that a close look at the code will reveal to me where the "thinko" is where NTLM is concerned; I just need to set aside some time to peer around there. - -- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer. GNU Maintainer: wget, screen, teseq http://micah.cowan.name/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJE1A27M8hyUobTrERAjYHAJoDdq35LaeHave60xNanZ1dZayfkQCdFWkQ x1SomzpmPi04sj3cCFcvZA0= =SnpH -----END PGP SIGNATURE-----
