Hi all, > Who says AuthKit is not ready for production? Did its author > disrecommend it?
Well, I say it isn't ready for production on the main site because I'm still tweaking the APIs a bit and have written the full documentation. I'm using the 0.4 branch in production systems myself though so it should be considered ready for production if you can work out how to use it without full documentation. The 0.3 release is a bit out of date now so I hope to release the 0.4 version fairly soon. > I took a quick glance at the manual and it says. > "AuthKit has not been audited by a security expert, please use with > caution at your own risk (or better yet, report security holes)." But > the same goes for a lot of reasonably safe Python software. Of course > it would be good to hire a security specialist to audit Pylons and its > commonly-used dependencies -- are you offering to do this and file bug > reports? Exactly, it should be safe but I haven't gone through all the algorithms and specs to check and I don't guarantee there aren't bugs. >> Does pylons have the means to keep the bad guys out? I'm interesting >> in using it for an e-commerce app, and you anyone can the security >> requirments any e-commerce app would need. You can run Pylons and AuthKit behind an secure server and then things should be pretty secure. You might be interested in my article here: http://docs.pythonweb.org/x/ZIAI > The main vulnerabilities derive from the type of > authentication chosen: plaintext password file, encrypted password > file, SQL database, LDAP, etc. Each of these imply certain > vulnerabilities that really overshadow how well AuthKit manages them. > Meaning, AuthKit probably does a reasonably good job, but the factors > outside its control are the ones most likely to bite you, and these > should be looked at no matter whether you use AuthKit or some other > library. +1 Cheers, James --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
