On Monday 10 December 2007 03:32:17 pm Nate Lowrie wrote: > On Dec 10, 2007 4:10 PM, johnf <[EMAIL PROTECTED]> wrote: > > On Monday 10 December 2007 02:50:04 pm Ricardo Aráoz wrote: > > > johnf wrote: > > > (snip...) > > > > > > > Right off the bat let me say the easiest way to setup a connection is > > > > to use the "CxnEditor.py" app. It works and and is a great example > > > > of Dabo eating it's own dog food (CxnEditor was created using Dabo). > > > > I use it for my projects and if there was a better way - I'd use it. > > > > But it really does not do much (all the real work is done in the > > > > framework). CxnEditor creates a XML file that contains the parameters > > > > required by the python connection interface that applies to your > > > > database. Like user name, password, host, database name or anything > > > > else that is needed to allow a database connection. > > > > > > Hi, so CxnEditor creates a XML file. Now you have in an ASCII file your > > > sensitive information (user, password - of course it will be a user > > > with append/update/delete rights) for anyone to see. My question is, > > > how would you manage the database security? > > > > > > TIA > > > > Currently, there is little real security. Although the password has > > encryption. However, it is very easy to subclass the login.py routines > > and add real security and still use the XML files. But for the purposes > > of the tutorial what CxnEditor provides is enough. > > > > But here's a question. What are you using for database security? I > > have seen ODBC connections that use 'sa' and the same password for > > everyone that used the program. I have seen RSA key fobs that cost a > > $100.00 for each seat. What would you like to see in Dabo? > > We have to be very careful with this. I don't know where the lines > are with ITAR but we (devs in the US) cannot export encryption > technology above a certain standard. If someone wants to tackle this > feel free, but please send an email to the dev list containing the > specs of the encryption standard before you commit so that we don't do > anything that would be a felony... > > I wonder if we could hook GnuPG? > > Cheers, > > Nate L. just .02 I have considered several ways to improve security for Dabo and we might discuss them in the near future. But the truth is my client really don't want security. What they want is the ability to filter users access to modules and maybe some tracking. I have one client I have known for over twenty years and they refuse to change a twenty year old root password.
If you force users to use something other than a pets name or birthday then they write it down on paper and tape to the monitor. Private sector - under 100 employees - forget it. -- John Fabiani _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/dabo-users Searchable Archives: http://leafe.com/archives/search/dabo-users This message: http://leafe.com/archives/byMID/dabo-users/[EMAIL PROTECTED]
