I've committed these changes - Default HMAC password is the application root package (so at least each app will have a different value) - AlertManager.error() called as well as logger.error()
On Sat, Oct 6, 2012 at 3:21 PM, Massimo Lusetti <[email protected]> wrote: > On Sat, Oct 6, 2012 at 3:01 AM, Howard Lewis Ship <[email protected]> wrote: > >>> Although I'm with Massimo on the random HMAC pass phrase, I don't >>> think the question should hold up a release. Having *some* HMAC >>> solution in place soon is important. >> >> I think having a random key is going to give people a false sense of >> security ("look, I don't even need to configure anything") and then >> big headaches ("why do some of my forms blow up with this HMAC >> thing?"). > > I don't want to transform this in a "bikeshed color" discussion but > having a random key or something along that way is far more secure > then the current default. > >> The current solution runs, but emits the error that things could be more >> secure. > > To my eyes this is a "false sense of security" > >> I'm really thinking about using the AlertManager to force this into >> the developer's face. > > I'd vote for that. > > Cheers > -- > Massimo > http://meridio.blogspot.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
