https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31059
Victor Grousset/tuxayo <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #16 from Victor Grousset/tuxayo <[email protected]> --- IIRC <encryption_key> was outside of the DB so 3rd party service passwords and sensitive data would be safe against a DB only leak (like with an SQL injection). But for the purpose of asset versioning without leaking the version of Koha, would it work to have another encryption key in the DB for that use? It doesn't matter much if it gets eventually stolen with the DB. ---- Something else: I might have missed if there is this possibility: can we count for most cases on koha-conf.xml being writable by the update process? So <encryption_key> could be populated there and the rest of the cases without write permission would need manual intervention for the upgrade. Assuming there are, it might not be that bad to have a major upgrade needed a manual intervention. Since switching the update source would already be a manual intervention. A bonus is that every install would have an out of DB key so that opens the possibility of using it in password storage so an SQL injection would have absolutely no chance in being compromised. Whereas today, even with salt and heavy hashing algorithms, It's feasible to test at least hundreds of thousands of passwords from dictionaries of the most popular ones. But that whole thing relies on counting for most cases on koha-conf.xml being writable. There are signs that it might be writable. «Or... koha-conf.xml becomes a generated file» -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
