On Wednesday, August 17, 2011, Jason Smith <j...@iriscouch.com> wrote: > On Wed, Aug 17, 2011 at 9:22 PM, Robert Newson <rnew...@apache.org> wrote: >> <distilled from IRC chat> >> >> A separate password file as described above, but can only be updated thus; >> >> # couchdb --set-password admin >> Password: foo >> Password updated. > > What problem is this solving exactly? This thread started because you > edit foo.ini and subsequent changes go to bar.ini.
because the biggest pb are passwords. local.ini could be then used for what it should be: local configuration updated via http or not. > > That foo.ini happens to hold plaintext passwords instead of, say, TCP > nodelay only underscores the problem. But plaintext vs. hashed > passwords is a totally different matter. > > But regarding passwords, would you humor me and please re-state the > requirements? > > I think it is a solution looking for a problem. Are we talking about > moving *all* passwords to this file (ignoring _user doc .salt and > .password_sha)? Or are we keeping those in sync now? Or is this just > admin passwords? But only admins can see (hashed) passwords over HTTP. > On Unix filesystems, if you have permission to read > /etc/couchdb/local.ini then you very likely have permission to read > /var/lib/couchdb/everything.couch, so what is the point? be safer and more logical. passwords shouldn't be put in plain text at all. > > Regarding --set-password and couchctl, unless I am missing some > serious requirement (possible), it sounds like CouchDB is poised to > get much more complex soon. I spend all my free time bragging about > how simple it is so that would be quite a blow to my ego. > > Thanks. > what is the argument against smplicity here? - benoit
