[tg-trunk] Re: TG auth model and encryption method improvement
On Monday February 2, 2009 08:26:08 Jorge Vargas wrote: I just have one question what is the purpose of repoze.what-quickstart I see you added it to the deps of the quickstarted project but I fail to find where it's used. I took at look at the package and it doesn't seems like quickstart to me, at least not in the sense paster template + paster quickstart use the word. it seems more like repoze.what.middleware or simply a layer on top of repoze.who to configure it. Indeed the repoze.what Quickstart plugin has nothing to do with TG/Pylons/Paster -- repoze.who/what and all their public plugins are all web framework independent, AFAIK. This Quickstart is a glue to join repoze.who and repoze.what, so that people using both auth frameworks can get started quickly, specially people who are new to both frameworks. So, in fact it's more than a repoze.what plugin -- it's a repoze.who plugin too. It's a plugin to configure both repoze.who and repoze.what in one go. Thus a better distribution name may be repoze.auth-quickstart. Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
Gustavo Narea schrieb: So, in fact it's more than a repoze.what plugin -- it's a repoze.who plugin too. It's a plugin to configure both repoze.who and repoze.what in one go. Thus a better distribution name may be repoze.auth-quickstart. How about repoze.auth-quickconf? That would be less confusing. Also, I'd like to see repoze.who.plugins.sa and repoze.what.plugins.sql use the same suffix (either sa or sql), since they both use SQLAlchemy. Maybe even merge them into a repoze.auth-sql package? -- Christoph --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
On Monday February 2, 2009 16:41:07 Christoph Zwerschke wrote: How about repoze.auth-quickconf? That would be less confusing. +1, I like it better. :) Although, I'd prefer to change it once repoze.what v2 is out, or when we're getting close. Right now r.what v1 is not the de facto authorization framework in the Repoze project (there's repoze.decsec and repoze.bfg uses its own framework), so I think it'd make more sense to have repoze.auth-quickconf if it configures the de facto authentication and authorization frameworks for the Repoze project -- and I think there are chances for repoze.what v2 to become that authorization framework. Also, I'd like to see repoze.who.plugins.sa and repoze.what.plugins.sql use the same suffix (either sa or sql), since they both use SQLAlchemy. Maybe even merge them into a repoze.auth-sql package? I don't think that the fact that both use SQLAlchemy is enough to consider merging them. What would be the advantage? I can see other issues though: * Our goal is not to mix authentication and authorization, not even in the plugins. * repoze.what's userbase is small (it's new after all), compared to repoze.who's. People using repoze.who only don't need and don't want to know about repoze.what's SQL-based adapters. I think these people should not be bothered to update some of their imports because repoze.who.plugins.sa is superseded by a new package whose improvement (the inclusion of repoze.what SQL adapters) is useless for them. * What would be its dependencies in addition to SA? repoze.who? repoze.what? repoze.who and repoze.what? What if they only want one of them? OK, I may exclude both r.what and r.who from the dependencies, but what if later on a new release requires at least version X.Y of repoze.who/what? * repoze.auth-sql may not work because there's already a SQL plugin for r.who and it's official, which would leave us with repoze.auth-sqlalchemy or repoze.auth-sa. I mean, I'm open to merge them if I see a problem with their current state. But that they share a main dependency is not a problem from my point of view. Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
Concerning the name changes or merging of projects, actually I don't know much about the background (repoze, the plugin concept etc.) so if you think that does not make much sense, please ignore my suggestions. -- Christoph --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
On Sat, Jan 31, 2009 at 8:32 AM, Gustavo Narea m...@gustavonarea.net wrote: On Saturday January 31, 2009 00:49:07 Mark Ramm wrote: On Fri, Jan 30, 2009 at 3:34 PM, Gustavo Narea m...@gustavonarea.net wrote: In r6204 I applied a not so drastic solution: http://trac.turbogears.org/changeset/6204 But again I think it'd be better if we removed the ability to select the hashing algorithm, mostly to make the template a bit simpler. Can I go for that? + 100 OK, done in r6209. really nice Gustavo, I just tested it's a lot cleaner, you even went one step further into getting rid of plain sha and md5 :) I just have one question what is the purpose of repoze.what-quickstart I see you added it to the deps of the quickstarted project but I fail to find where it's used. I took at look at the package and it doesn't seems like quickstart to me, at least not in the sense paster template + paster quickstart use the word. it seems more like repoze.what.middleware or simply a layer on top of repoze.who to configure it. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
On Saturday January 31, 2009 00:49:07 Mark Ramm wrote: On Fri, Jan 30, 2009 at 3:34 PM, Gustavo Narea m...@gustavonarea.net wrote: In r6204 I applied a not so drastic solution: http://trac.turbogears.org/changeset/6204 But again I think it'd be better if we removed the ability to select the hashing algorithm, mostly to make the template a bit simpler. Can I go for that? + 100 OK, done in r6209. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
In r6204 I applied a not so drastic solution: http://trac.turbogears.org/changeset/6204 But again I think it'd be better if we removed the ability to select the hashing algorithm, mostly to make the template a bit simpler. Can I go for that? Cheers. On Thursday January 29, 2009 17:38:14 Jorge Vargas wrote: On Wed, Jan 28, 2009 at 5:08 PM, Florent Aide florent.a...@gmail.com wrote: On Wed, Jan 28, 2009 at 7:34 PM, Jorge Vargas jorge.var...@gmail.com wrote: to be clear, that's my point why will that won't work? why will I need to load tg in order to use a console script? can't we just inline that in the model where it should be? Just as Gustavo said simply add the 3 lines to the model with the sha1 and md5 commented out and the salted_sha1 un-commented. That will let everyone default to the most secure algorith, yet still allow you to go back to the less-secure ones in case you need to (for example old already hashed passwords) why not... this is in the quickstarted app and anyone willing to lower his security (or improve it by using some difference method) could do it easily... and this would remove quite some problems... I'm convinced... +1 for Gustavo's proposal ok I'll make a ticket + patch. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
On Fri, Jan 30, 2009 at 3:34 PM, Gustavo Narea m...@gustavonarea.net wrote: In r6204 I applied a not so drastic solution: http://trac.turbogears.org/changeset/6204 But again I think it'd be better if we removed the ability to select the hashing algorithm, mostly to make the template a bit simpler. Can I go for that? + 100 --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
On Wed, Jan 28, 2009 at 5:08 PM, Florent Aide florent.a...@gmail.com wrote: On Wed, Jan 28, 2009 at 7:34 PM, Jorge Vargas jorge.var...@gmail.com wrote: to be clear, that's my point why will that won't work? why will I need to load tg in order to use a console script? can't we just inline that in the model where it should be? Just as Gustavo said simply add the 3 lines to the model with the sha1 and md5 commented out and the salted_sha1 un-commented. That will let everyone default to the most secure algorith, yet still allow you to go back to the less-secure ones in case you need to (for example old already hashed passwords) why not... this is in the quickstarted app and anyone willing to lower his security (or improve it by using some difference method) could do it easily... and this would remove quite some problems... I'm convinced... +1 for Gustavo's proposal ok I'll make a ticket + patch. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
On Wednesday January 28, 2009 16:40:53 Mark Ramm wrote: It's lossible that we could simplify it bit, but it works. Why don't we just drop the ability to select the hashing algorithm and use salted SHA1 by default? It won't break existing applications. To be honest, I don't that feature: * It's not as simple as it should to be able to use the model outside of TG. * The available alternatives, SHA1 and MD5, are not very reliable: reliability(salted_sha1) reliability(sha1) reliability(md5) * This is not about encrypting, but about hashing. Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
On Wed, Jan 28, 2009 at 3:17 AM, Florent Aide florent.a...@gmail.com wrote: On Wed, Jan 28, 2009 at 5:37 AM, Jorge Vargas jorge.var...@gmail.com wrote: Hello guys, today while upgrading an old project (1.9.7) to a more current version (2.0b4) I found a very interesting case. I used a custom script to create users which generated a very interesting result, here is a copy of the script. http://paste.chrisarndt.de/paste/5942bb29dab74c309a766638218f8f54 this script does not load the tg config... how could the tg model find the auth encryption algo? to be clear, that's my point why will that won't work? why will I need to load tg in order to use a console script? can't we just inline that in the model where it should be? Just as Gustavo said simply add the 3 lines to the model with the sha1 and md5 commented out and the salted_sha1 un-commented. That will let everyone default to the most secure algorith, yet still allow you to go back to the less-secure ones in case you need to (for example old already hashed passwords) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
On Wed, Jan 28, 2009 at 7:34 PM, Jorge Vargas jorge.var...@gmail.com wrote: to be clear, that's my point why will that won't work? why will I need to load tg in order to use a console script? can't we just inline that in the model where it should be? Just as Gustavo said simply add the 3 lines to the model with the sha1 and md5 commented out and the salted_sha1 un-commented. That will let everyone default to the most secure algorith, yet still allow you to go back to the less-secure ones in case you need to (for example old already hashed passwords) why not... this is in the quickstarted app and anyone willing to lower his security (or improve it by using some difference method) could do it easily... and this would remove quite some problems... I'm convinced... +1 for Gustavo's proposal Florent --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
[tg-trunk] Re: TG auth model and encryption method improvement
On Wed, Jan 28, 2009 at 5:37 AM, Jorge Vargas jorge.var...@gmail.com wrote: Hello guys, today while upgrading an old project (1.9.7) to a more current version (2.0b4) I found a very interesting case. I used a custom script to create users which generated a very interesting result, here is a copy of the script. http://paste.chrisarndt.de/paste/5942bb29dab74c309a766638218f8f54 this script does not load the tg config... how could the tg model find the auth encryption algo? Florent. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears Trunk group. To post to this group, send email to turbogears-trunk@googlegroups.com To unsubscribe from this group, send email to turbogears-trunk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~--~~~~--~~--~--~---
