subject:"svn commit\: r1902590 \- \/subversion\/trunk\/tools\/client\-side\/store\-plaintext\-password.py"

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

2022-07-15 Thread Daniel Shahaf

Nathan Hartman wrote on Thu, Jul 14, 2022 at 10:45:07 -0400:
> On Thu, Jul 14, 2022 at 10:02 AM Daniel Sahlberg
>  wrote:
> >
> > Den tors 14 juli 2022 kl 15:52 skrev Daniel Shahaf 
> > :
> >>
> >> Nathan Hartman wrote on Wed, 13 Jul 2022 15:29 +00:00:
> >> > On Wed, Jul 13, 2022 at 10:55 AM Daniel Shahaf  
> >> > wrote:
> >> >> Should the entry link to the zsh script
> >> >> (https://mail-archives.apache.org/mod_mbox/subversion-dev/202008.mbox/%3C20200816130713.6abca815%40tarpaulin.shahaf.local2%3E)
> >> >> as well, as an alternative?  It might be useful for someone if their
> >> >> environment doesn't have Python installed or if they find the zsh script
> >> >> easier to audit.
> >> >
> >> > I think it would be useful, and...
> >> >
> >> >> (Well, I suppose it might make more sense to copy the script
> >> >> somewhere than to link to an immutable archives message with that
> >> >> subject line.)
> >> >
> >> > ...the place to put it is probably tools/client-side/ just like the
> >> > Python script.
> >>
> >> Being in tools/ would imply dev@ accepts responsibility for bug reports
> >> against the zsh script.  Is dev@ happy to do that?  I'm concerned about
> >> the bus factor.
> >
> >
> > I was just about to say the same thing (and with no intention to
> > discredit the zsh version). If it is desirable to list all available
> > realms and let the user choose interactively, I could add that to
> > the Python script.

Adding such functionality would reduce the amount of legwork for users
(= would move the Python script leftwards on ).

> > I was also going to add that I think it is better to provide one
> > tool and make sure that tool is working well instead of having two
> > tools that differ only in tiny details, since they might bit-rot in
> > different ways over time and it might be hard for a newcomer to
> > understand the motivation of having different tools.
> 

Agreed: knobs have a cost both to maintainers and to users.  However, we
should balance this downside with potential upsides, such as the ones I
offered above:

> >> >> [...]  It might be useful for someone if their environment
> >> >> doesn't have Python installed or if they find the zsh script
> >> >> easier to audit.

I'm not implying those points outweigh Daniel's; I'm just saying we
have identified pros and cons but haven't tallied them up yet.

For instance, perhaps we should link to both implementations but make it
clear that the Python one is preferred, community supported, "Use it
unless you know you need the other one", etc..

> 
> These are all good points.
> 
> I admit that zsh is a bit of a mystery to me, as is the script, so I
> couldn't provide support for it, at least not with my current
> knowledge. I am impressed that zsh can do so much with so little.
> 

zsh syntax can be terse, but the script is pretty much translatable
line-for-line into Python, except for the 'select' loop:

https://zsh.sourceforge.io/Doc/Release/Shell-Grammar.html#index-select

… which would be this:

def select(choices):
for i_and_element in enumerate(choices):
print("{}: {}".format(*i_and_element))
n = int(input("Choice number: "))
if not (0 <= n < len(choices)):
raise ...
return choices[n]

(plus a few more lines for the argv and loop support)

> It's in the list archives, but as DanielSh points out, is in a thread
> with a not-so-nice subject. That could be addressed by re-mailing it
> to dev@ with a new subject, e.g., "Prototype zsh script to store svn
> password in plaintext" in case anyone ever asks or searches for a
> non-Python way to do it. We could even link to it from the same FAQ,
> e.g., "An example of how to store svn plaintext credentials was
> implemented as a zsh script. It is unsupported by the SVN maintainers
> but can be found at [link] for pedagogical purposes."

If we give the script a new URL, perhaps we could make that URL identify
a _mutable_ resource, so if we ever have to update the script all its
users won't have to update their bookmarks?  Just a nice-to-have.

Cheers,

Daniel

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

2022-07-14 Thread Nathan Hartman

On Thu, Jul 14, 2022 at 10:02 AM Daniel Sahlberg
 wrote:
>
> Den tors 14 juli 2022 kl 15:52 skrev Daniel Shahaf :
>>
>> Nathan Hartman wrote on Wed, 13 Jul 2022 15:29 +00:00:
>> > On Wed, Jul 13, 2022 at 10:55 AM Daniel Shahaf  
>> > wrote:
>> >> Should the entry link to the zsh script
>> >> (https://mail-archives.apache.org/mod_mbox/subversion-dev/202008.mbox/%3C20200816130713.6abca815%40tarpaulin.shahaf.local2%3E)
>> >> as well, as an alternative?  It might be useful for someone if their
>> >> environment doesn't have Python installed or if they find the zsh script
>> >> easier to audit.
>> >
>> > I think it would be useful, and...
>> >
>> >> (Well, I suppose it might make more sense to copy the script
>> >> somewhere than to link to an immutable archives message with that
>> >> subject line.)
>> >
>> > ...the place to put it is probably tools/client-side/ just like the
>> > Python script.
>>
>> Being in tools/ would imply dev@ accepts responsibility for bug reports
>> against the zsh script.  Is dev@ happy to do that?  I'm concerned about
>> the bus factor.
>
>
> I was just about to say the same thing (and with no intention to discredit 
> the zsh version). If it is desirable to list all available realms and let the 
> user choose interactively, I could add that to the Python script.
>
> I was also going to add that I think it is better to provide one tool and 
> make sure that tool is working well instead of having two tools that differ 
> only in tiny details, since they might bit-rot in different ways over time 
> and it might be hard for a newcomer to understand the motivation of having 
> different tools.

These are all good points.

I admit that zsh is a bit of a mystery to me, as is the script, so I
couldn't provide support for it, at least not with my current
knowledge. I am impressed that zsh can do so much with so little.

It's in the list archives, but as DanielSh points out, is in a thread
with a not-so-nice subject. That could be addressed by re-mailing it
to dev@ with a new subject, e.g., "Prototype zsh script to store svn
password in plaintext" in case anyone ever asks or searches for a
non-Python way to do it. We could even link to it from the same FAQ,
e.g., "An example of how to store svn plaintext credentials was
implemented as a zsh script. It is unsupported by the SVN maintainers
but can be found at [link] for pedagogical purposes."

Cheers,
Nathan

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

2022-07-14 Thread Daniel Sahlberg

Den tors 14 juli 2022 kl 15:52 skrev Daniel Shahaf :

> Nathan Hartman wrote on Wed, 13 Jul 2022 15:29 +00:00:
> > On Wed, Jul 13, 2022 at 10:55 AM Daniel Shahaf 
> wrote:
> >> Should the entry link to the zsh script
> >> (
> https://mail-archives.apache.org/mod_mbox/subversion-dev/202008.mbox/%3C20200816130713.6abca815%40tarpaulin.shahaf.local2%3E
> )
> >> as well, as an alternative?  It might be useful for someone if their
> >> environment doesn't have Python installed or if they find the zsh script
> >> easier to audit.
> >
> > I think it would be useful, and...
> >
> >> (Well, I suppose it might make more sense to copy the script
> >> somewhere than to link to an immutable archives message with that
> >> subject line.)
> >
> > ...the place to put it is probably tools/client-side/ just like the
> > Python script.
>
> Being in tools/ would imply dev@ accepts responsibility for bug reports
> against the zsh script.  Is dev@ happy to do that?  I'm concerned about
> the bus factor.
>

I was just about to say the same thing (and with no intention to discredit
the zsh version). If it is desirable to list all available realms and let
the user choose interactively, I could add that to the Python script.

I was also going to add that I think it is better to provide one tool and
make sure that tool is working well instead of having two tools that differ
only in tiny details, since they might bit-rot in different ways over time
and it might be hard for a newcomer to understand the motivation of having
different tools.

Kind regards,
Daniel

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

2022-07-14 Thread Daniel Shahaf

Nathan Hartman wrote on Wed, 13 Jul 2022 15:29 +00:00:
> On Wed, Jul 13, 2022 at 10:55 AM Daniel Shahaf  
> wrote:
>> Should the entry link to the zsh script
>> (https://mail-archives.apache.org/mod_mbox/subversion-dev/202008.mbox/%3C20200816130713.6abca815%40tarpaulin.shahaf.local2%3E)
>> as well, as an alternative?  It might be useful for someone if their
>> environment doesn't have Python installed or if they find the zsh script
>> easier to audit.
>
> I think it would be useful, and...
>
>> (Well, I suppose it might make more sense to copy the script
>> somewhere than to link to an immutable archives message with that
>> subject line.)
>
> ...the place to put it is probably tools/client-side/ just like the
> Python script.

Being in tools/ would imply dev@ accepts responsibility for bug reports
against the zsh script.  Is dev@ happy to do that?  I'm concerned about
the bus factor.

Cheers,

Daniel

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

2022-07-13 Thread Nathan Hartman

On Wed, Jul 13, 2022 at 10:55 AM Daniel Shahaf  wrote:
>
> Nathan Hartman wrote on Wed, 13 Jul 2022 13:43 +00:00:
> > On Wed, Jul 13, 2022 at 9:33 AM Daniel Shahaf 
> > wrote:
> >
> >> dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 23:39:14 -:
> >> > A new script to store/update a password in the plain text password store
> >> >
> >> > * tools/client-side/store-plaintext-password.py
> >> >   As above
> >> >
> >> > Discussed on dev@:
> >> https://lists.apache.org/thread/jfd0f5n2qpgnyc30dst6ycnkphcwf6mm
> >> >
> >> > Added:
> >> > subversion/trunk/tools/client-side/store-plaintext-password.py
> >>  (with props)
> >>
> >> Presumably, now that it's been added, we should link it from somewhere
> >> to make it discoverable by users?
> >
> >
> >
> > Ah yes, it is on my todo list to link to it from the FAQ [1]. :-)
> >
> > [1] https://subversion.apache.org/faq.html#plaintext-passwords
>
> Added to staging in r1902704.  Hope you don't mind :)  Please take it
> from here if you have time.

Ah, you beat me to it. :-) LGTM. I was about to ask you:

> Should the entry link to the zsh script
> (https://mail-archives.apache.org/mod_mbox/subversion-dev/202008.mbox/%3C20200816130713.6abca815%40tarpaulin.shahaf.local2%3E)
> as well, as an alternative?  It might be useful for someone if their
> environment doesn't have Python installed or if they find the zsh script
> easier to audit.

I think it would be useful, and...

> (Well, I suppose it might make more sense to copy the script
> somewhere than to link to an immutable archives message with that
> subject line.)

...the place to put it is probably tools/client-side/ just like the
Python script.

Cheers,
Nathan

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

2022-07-13 Thread Daniel Shahaf

Nathan Hartman wrote on Wed, 13 Jul 2022 13:43 +00:00:
> On Wed, Jul 13, 2022 at 9:33 AM Daniel Shahaf 
> wrote:
>
>> dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 23:39:14 -:
>> > A new script to store/update a password in the plain text password store
>> >
>> > * tools/client-side/store-plaintext-password.py
>> >   As above
>> >
>> > Discussed on dev@:
>> https://lists.apache.org/thread/jfd0f5n2qpgnyc30dst6ycnkphcwf6mm
>> >
>> > Added:
>> > subversion/trunk/tools/client-side/store-plaintext-password.py
>>  (with props)
>>
>> Presumably, now that it's been added, we should link it from somewhere
>> to make it discoverable by users?
>
>
>
> Ah yes, it is on my todo list to link to it from the FAQ [1]. :-)
>
> [1] https://subversion.apache.org/faq.html#plaintext-passwords

Added to staging in r1902704.  Hope you don't mind :)  Please take it
from here if you have time.

Should the entry link to the zsh script
(https://mail-archives.apache.org/mod_mbox/subversion-dev/202008.mbox/%3C20200816130713.6abca815%40tarpaulin.shahaf.local2%3E)
as well, as an alternative?  It might be useful for someone if their
environment doesn't have Python installed or if they find the zsh script
easier to audit.

(Well, I suppose it might make more sense to copy the script
somewhere than to link to an immutable archives message with that
subject line.)

Cheers,

Daniel

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

2022-07-13 Thread Nathan Hartman

On Wed, Jul 13, 2022 at 9:33 AM Daniel Shahaf 
wrote:

> dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 23:39:14 -:
> > A new script to store/update a password in the plain text password store
> >
> > * tools/client-side/store-plaintext-password.py
> >   As above
> >
> > Discussed on dev@:
> https://lists.apache.org/thread/jfd0f5n2qpgnyc30dst6ycnkphcwf6mm
> >
> > Added:
> > subversion/trunk/tools/client-side/store-plaintext-password.py
>  (with props)
>
> Presumably, now that it's been added, we should link it from somewhere
> to make it discoverable by users?



Ah yes, it is on my todo list to link to it from the FAQ [1]. :-)

[1] https://subversion.apache.org/faq.html#plaintext-passwords

Cheers,
Nathan

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

2022-07-13 Thread Daniel Shahaf

dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 23:39:14 -:
> A new script to store/update a password in the plain text password store
> 
> * tools/client-side/store-plaintext-password.py
>   As above
> 
> Discussed on dev@: 
> https://lists.apache.org/thread/jfd0f5n2qpgnyc30dst6ycnkphcwf6mm
> 
> Added:
> subversion/trunk/tools/client-side/store-plaintext-password.py   (with 
> props)

Presumably, now that it's been added, we should link it from somewhere
to make it discoverable by users?

Cheers,

Daniel
(I have reviewed the changes you mentioned on dev@ and have no comments.)

svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

2022-07-08 Thread dsahlberg

Author: dsahlberg
Date: Fri Jul  8 23:39:13 2022
New Revision: 1902590

URL: http://svn.apache.org/viewvc?rev=1902590=rev
Log:
A new script to store/update a password in the plain text password store

* tools/client-side/store-plaintext-password.py
  As above

Discussed on dev@: 
https://lists.apache.org/thread/jfd0f5n2qpgnyc30dst6ycnkphcwf6mm

Added:
subversion/trunk/tools/client-side/store-plaintext-password.py   (with 
props)

Added: subversion/trunk/tools/client-side/store-plaintext-password.py
URL: 
http://svn.apache.org/viewvc/subversion/trunk/tools/client-side/store-plaintext-password.py?rev=1902590=auto
==
--- subversion/trunk/tools/client-side/store-plaintext-password.py (added)
+++ subversion/trunk/tools/client-side/store-plaintext-password.py Fri Jul  8 
23:39:13 2022
@@ -0,0 +1,191 @@
+#!/usr/bin/env python3
+"""\
+Script to store password in plaintext in ~/.subversion/auth/svn.simple/
+
+Useful in case Subversion is compiled without support for writing
+passwords in plaintext.
+
+Only use this script if the security implications are understood
+and it is acceptable by your organization to store passwords in plaintext.
+
+See http://subversion-staging.apache.org/faq.html#plaintext-passwords
+"""
+
+# 
+#Licensed to the Apache Software Foundation (ASF) under one
+#or more contributor license agreements.  See the NOTICE file
+#distributed with this work for additional information
+#regarding copyright ownership.  The ASF licenses this file
+#to you under the Apache License, Version 2.0 (the
+#"License"); you may not use this file except in compliance
+#with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+#Unless required by applicable law or agreed to in writing,
+#software distributed under the License is distributed on an
+#"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#KIND, either express or implied.  See the License for the
+#specific language governing permissions and limitations
+#under the License.
+# 
+
+import os
+import sys
+
+TERMINATOR = b"END\n"
+
+PARSERDESCR = """\
+Store plaintext password in ~/.subversion/auth/svn.simple/
+
+Existing passwords and authentication realms can be inspected by:
+
+svn auth [--show-passwords]
+
+The authentication realm can also be found using:
+
+svn info URL
+"""
+
+def _read_one_datum(fd, letter):
+"""\
+Read a 'K \\n\\n' or 'V \\n\\n' block from
+an svn_hash_write2()-format FD.
+
+LETTER identifies the first letter, as a bytes object.
+"""
+assert letter in {b'K', b'V'}
+
+# Read the letter and the space
+readletter = fd.read(1)
+if readletter != letter or fd.read(1) != b' ':
+raise ValueError('Hash file format error: Expected {} got 
{}'.format(letter, readletter))
+
+# Read the length and the newline
+line = fd.readline()
+if line[-1:] != b'\n':
+raise ValueError('Hash file format error: Expected trailing \\n')
+expected_length = int(line[:-1])
+
+# Read the datum and its newline
+datum = fd.read(expected_length)
+if len(datum) != expected_length:
+raise ValueError('Hash file format error: Expected length {} got 
{}'.format(expected_length, len(datum)))
+if fd.read(1) != b'\n':
+raise ValueError('Hash file format error: Extra data after reading {} 
bytes, expected \\n')
+
+return datum
+
+def svn_hash_read(fd):
+"""\
+Read an svn_hash_write2()-formatted file from FD, terminated by "END".
+
+Return a dict mapping bytes to bytes.
+"""
+assert 'b' in fd.mode
+assert TERMINATOR[0] not in {b'K', b'V'}
+
+ret = {}
+while True:
+if fd.peek(1)[0] == TERMINATOR[0]:
+if fd.readline() != TERMINATOR:
+raise ValueError('Hash file format error: Expected file 
terminator {}'.format(TERMINATOR))
+if fd.peek(1):
+raise ValueError('Hash file format error: Extra content after 
file terminator')
+return ret
+
+key = _read_one_datum(fd, b'K')
+value = _read_one_datum(fd, b'V')
+ret[key] = value
+
+def outputHash(fd, hash):
+"""\
+Write a dictionary HASH to an open file descriptor FD in the
+svn_hash_write2()-format, terminated by "END\\n".
+
+The keys and values must have datatype 'bytes' and strings must be
+encoded using utf-8.
+"""
+assert 'b' in fd.mode
+
+for key, val in dict.items():
+fd.write(b'K ' + bytes(str(len(key)), 'utf-8') + b'\n')
+fd.write(key + b'\n')
+fd.write(b'V ' + bytes(str(len(val)), 'utf-8') + b'\n')
+fd.write(val + b'\n')
+fd.write(TERMINATOR)
+
+def writeHashFile(filename, hash):
+"""\
+

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py

9 matches

Site Navigation

Mail list logo

Footer information