On Wed, Mar 24, 2010 at 11:13 AM, Evan Carroll <li...@evancarroll.com> wrote: >> It would be if anything you said were true; fortunately it's not, and both >> available methods of doing salted passwords with >> Catalyst::Plugin::Authentication do salt entirely the correct way. >> >> Your unncecessary and condescending lectures are, however, greatly >> appreciated >> as usual. > > While you're probably doubting your whole statement about salts being > implemented "entirely the correct way," I just wanted to indulge you > with one more lecture. I feel the need to call you out and cross-post > your repsonse on rt for the historical mailing-list record: > > I have no idea what distribution you intended to file this bug against, > but it's obviously not the one you *did* file against, which does > nothing even vaguely resembling reading salt from a config file. > > To which I responded: > > http://search.cpan.org/src/FLORA/Catalyst-Plugin-Authentication- > 0.10016/lib/Catalyst/Authentication/Credential/Password.pm > > I think I've got the right one... > > P.S. stop being an asshole, thanks. > > along with the code: > > Just to save some insincere discourse and further boring name calling: > > $d->add( $self->_config->{'password_pre_salt'} || '' ); > $d->add($password); > $d->add( $self->_config->{'password_post_salt'} || '' ); > > I have a disconnect sometimes when I see "Andrew Rodland," instead of > "hobbs" but your unwavering hostility is certainly noticed. Rather > than give the bug report a fair evaluation you deny it without reason. > Like most religions, yours has an convenient indicator: "if anything > you said were true; fortunately it's not." Good, concise illogical ad > hominum not grounded in reality, and totally without merit as to the > bug report. >
While my opinion of you is not favorable, I do believe that we should always look at reports without seeing who filed them and react accordingly. In this case, though, the 'salted_hash' option defers all salting to Crypt::SaltedHash. The option for 'hashed' does what you are talking about, and the documentation clearly lists the differences here. I'm more of the mind that this is a non-issue, but could easily lead people astray into doing something that they do not want to do. If there is a problem with the way the salts are handled, that would be a problem in Crypt::SaltedHash. Your bug report does seem to imply it would be a problem with Crypt::SaltedHash, though, which is why without a more thorough glance, you look like you are wholly mistaken. -J _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/