svn commit: r1902705 - /subversion/trunk/tools/client-side/store-plaintext-password.py
Author: hartmannathan Date: Wed Jul 13 20:32:22 2022 New Revision: 1902705 URL: http://svn.apache.org/viewvc?rev=1902705=rev Log: * tools/client-side/store-plaintext-password.py: Fix typo: s/real/realm/ Found by: danielsh Modified: subversion/trunk/tools/client-side/store-plaintext-password.py Modified: subversion/trunk/tools/client-side/store-plaintext-password.py URL: http://svn.apache.org/viewvc/subversion/trunk/tools/client-side/store-plaintext-password.py?rev=1902705=1902704=1902705=diff == --- subversion/trunk/tools/client-side/store-plaintext-password.py (original) +++ subversion/trunk/tools/client-side/store-plaintext-password.py Wed Jul 13 20:32:22 2022 @@ -143,7 +143,7 @@ def main(): parser = argparse.ArgumentParser( description=PARSERDESCR, formatter_class=argparse.RawDescriptionHelpFormatter) -parser.add_argument('realm', help='Server authentication real') +parser.add_argument('realm', help='Server authentication realm') parser.add_argument('-u', '--user', help='Set username') args = parser.parse_args()
Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py
On Wed, Jul 13, 2022 at 10:55 AM Daniel Shahaf wrote: > > Nathan Hartman wrote on Wed, 13 Jul 2022 13:43 +00:00: > > On Wed, Jul 13, 2022 at 9:33 AM Daniel Shahaf > > wrote: > > > >> dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 23:39:14 -: > >> > A new script to store/update a password in the plain text password store > >> > > >> > * tools/client-side/store-plaintext-password.py > >> > As above > >> > > >> > Discussed on dev@: > >> https://lists.apache.org/thread/jfd0f5n2qpgnyc30dst6ycnkphcwf6mm > >> > > >> > Added: > >> > subversion/trunk/tools/client-side/store-plaintext-password.py > >> (with props) > >> > >> Presumably, now that it's been added, we should link it from somewhere > >> to make it discoverable by users? > > > > > > > > Ah yes, it is on my todo list to link to it from the FAQ [1]. :-) > > > > [1] https://subversion.apache.org/faq.html#plaintext-passwords > > Added to staging in r1902704. Hope you don't mind :) Please take it > from here if you have time. Ah, you beat me to it. :-) LGTM. I was about to ask you: > Should the entry link to the zsh script > (https://mail-archives.apache.org/mod_mbox/subversion-dev/202008.mbox/%3C20200816130713.6abca815%40tarpaulin.shahaf.local2%3E) > as well, as an alternative? It might be useful for someone if their > environment doesn't have Python installed or if they find the zsh script > easier to audit. I think it would be useful, and... > (Well, I suppose it might make more sense to copy the script > somewhere than to link to an immutable archives message with that > subject line.) ...the place to put it is probably tools/client-side/ just like the Python script. Cheers, Nathan
Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py
Nathan Hartman wrote on Wed, 13 Jul 2022 13:43 +00:00: > On Wed, Jul 13, 2022 at 9:33 AM Daniel Shahaf > wrote: > >> dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 23:39:14 -: >> > A new script to store/update a password in the plain text password store >> > >> > * tools/client-side/store-plaintext-password.py >> > As above >> > >> > Discussed on dev@: >> https://lists.apache.org/thread/jfd0f5n2qpgnyc30dst6ycnkphcwf6mm >> > >> > Added: >> > subversion/trunk/tools/client-side/store-plaintext-password.py >> (with props) >> >> Presumably, now that it's been added, we should link it from somewhere >> to make it discoverable by users? > > > > Ah yes, it is on my todo list to link to it from the FAQ [1]. :-) > > [1] https://subversion.apache.org/faq.html#plaintext-passwords Added to staging in r1902704. Hope you don't mind :) Please take it from here if you have time. Should the entry link to the zsh script (https://mail-archives.apache.org/mod_mbox/subversion-dev/202008.mbox/%3C20200816130713.6abca815%40tarpaulin.shahaf.local2%3E) as well, as an alternative? It might be useful for someone if their environment doesn't have Python installed or if they find the zsh script easier to audit. (Well, I suppose it might make more sense to copy the script somewhere than to link to an immutable archives message with that subject line.) Cheers, Daniel
svn commit: r1902704 - /subversion/site/staging/faq.html
Author: danielsh Date: Wed Jul 13 14:48:38 2022 New Revision: 1902704 URL: http://svn.apache.org/viewvc?rev=1902704=rev Log: [in site/staging/] * faq.html (#plaintext-passwords): Link to the store-plaintext-password.py. Modified: subversion/site/staging/faq.html Modified: subversion/site/staging/faq.html URL: http://svn.apache.org/viewvc/subversion/site/staging/faq.html?rev=1902704=1902703=1902704=diff == --- subversion/site/staging/faq.html (original) +++ subversion/site/staging/faq.html Wed Jul 13 14:48:38 2022 @@ -3332,9 +3332,9 @@ time." have written a Python script that can store a plain-text password to the cache. If you understand the security implications, have ruled out other alternatives, and still want to cache your password in plain-text on disk, you -may find the script here: - -TODO: Link to the script. +may find the script https://svn.apache.org/repos/asf/subversion/trunk/tools/client-side/store-plaintext-password.py; +>in the tools/client-side/ directory in (as of this writing) our trunk. Additional Information
Re: svn commit: r1902582 - /subversion/trunk/tools/dist/release.py
Daniel Sahlberg wrote on Fri, Jul 08, 2022 at 23:07:08 +0200: > Den fre 8 juli 2022 kl 22:47 skrev : > > > Author: dsahlberg > > Date: Fri Jul 8 20:47:42 2022 > > New Revision: 1902582 > > > > URL: http://svn.apache.org/viewvc?rev=1902582=rev > > Log: > > ASF no longer provide a aggregated KEYS file, so we need to construct it > > ourselves using the make-keys.sh script. > > > > * tools/dist/release.py > > (roll_tarballs): Call make-keys.sh to create the KEYS file > > (get_keys): Call make-keys.sh to create the KEYS file > > > > Modified: > > subversion/trunk/tools/dist/release.py > > > > Modified: subversion/trunk/tools/dist/release.py > > URL: > > http://svn.apache.org/viewvc/subversion/trunk/tools/dist/release.py?rev=1902582=1902581=1902582=diff > > > > == > > --- subversion/trunk/tools/dist/release.py (original) > > +++ subversion/trunk/tools/dist/release.py Fri Jul 8 20:47:42 2022 > > @@ -98,7 +98,6 @@ dist_release_url = dist_repos + '/releas > > dist_archive_url = 'https://archive.apache.org/dist/subversion' > > buildbot_repos = os.getenv('SVN_RELEASE_BUILDBOT_REPOS', > > ' > > https://svn.apache.org/repos/infra/infrastructure/buildbot/aegis/buildmaster > > ') > > -KEYS = 'https://people.apache.org/keys/group/subversion.asc' > > extns = ['zip', 'tar.gz', 'tar.bz2'] > > > > > > @@ -980,7 +979,12 @@ def roll_tarballs(args): > > # from a committer's LDAP profile down the road) > > basename = 'subversion-%s.KEYS' % (str(args.version),) > > filepath = os.path.join(get_tempdir(args.base_dir), basename) > > -download_file(KEYS, filepath, None) > > +# The following code require release.py to be executed within a > > +# complete wc, not a shallow wc as indicated in HACKING as one > > option. > > +# We /could/ download COMMITTERS from /trunk if it doesn't > > exist... > > +subprocess.check_call([os.path.dirname(__file__) + > > '/make-keys.sh', > > + '-c', os.path.dirname(__file__) + '/../..', > > + '-o', filepath]) > > shutil.move(filepath, get_target(args)) > > > > I have tested the above part but NOT within the full roll_tarballs codepath > since I'm not sure if I might cause changes in the repository. I believe > the change is correct and I don't think things will be worse than trying to > download a non-existing URL but I would appreciate the help from someone > experienced in the release process to review or at least give me the > confidence to roll a tarball locally. IIRC, rolling the tarballs in itself just creates the foo.tar.gz files locally; it doesn't create the tag or do the post-tagging housekeeping commits. To be sure it doesn't commit, you can invalidate or delete any caches of your svn.apache.org password. Or you could create another local user on your OS and test from that. The test user should have its own UID, homedir, and environment, so it doesn't have access to your regular user's cached usernames/passwords.
Re: svn commit: r1902582 - /subversion/trunk/tools/dist/release.py
dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 20:47:42 -: > +++ subversion/trunk/tools/dist/release.py Fri Jul 8 20:47:42 2022 > @@ -980,7 +979,12 @@ def roll_tarballs(args): > # from a committer's LDAP profile down the road) > basename = 'subversion-%s.KEYS' % (str(args.version),) > filepath = os.path.join(get_tempdir(args.base_dir), basename) > -download_file(KEYS, filepath, None) > +# The following code require release.py to be executed within a > +# complete wc, not a shallow wc as indicated in HACKING as one > option. > +# We /could/ download COMMITTERS from /trunk if it doesn't exist... Well, could you please either change HACKING or download COMMITTERS? The code for the latter is basically the tempfile+urlopen mechanics from the next hunk of this very diff. > +subprocess.check_call([os.path.dirname(__file__) + '/make-keys.sh', > + '-c', os.path.dirname(__file__) + '/../..', > + '-o', filepath]) > shutil.move(filepath, get_target(args)) > > # And we're done! > @@ -1465,12 +1469,11 @@ def check_sigs(args): > > def get_keys(args): > 'Import the LDAP-based KEYS file to gpg' > -# We use a tempfile because urlopen() objects don't have a .fileno() > -with tempfile.SpooledTemporaryFile() as fd: > -fd.write(urlopen(KEYS).read()) > -fd.flush() > -fd.seek(0) > -subprocess.check_call(['gpg', '--import'], stdin=fd) > +with tempfile.NamedTemporaryFile(delete=False) as tmpfile: > + keyspath = tmpfile.name > +subprocess.check_call([os.path.dirname(__file__) + '/make-keys.sh', > '-c', os.path.dirname(__file__) + '/../..', '-o', keyspath]) > +subprocess.check_call(['gpg', '--import', keyspath]) > +os.remove(keyspath) That's not how one uses NamedTemporaryFile(). Generally, all uses of the file should be inside the «with» block, and unlinking the file should be left to block's implicit handling (tmpfile.__exit__()). As written, however, NamedTemporaryFile() is used as though it were a "generate a safe temporary name" API. That means the file is not created atomically and won't be cleaned up if subprocess.check_call() raises an exception. Could you rewrite so the file isn't used outside its «with» block? > def add_to_changes_dict(changes_dict, audience, section, change, revision): > # Normalize arguments > >
Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py
On Wed, Jul 13, 2022 at 9:33 AM Daniel Shahaf wrote: > dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 23:39:14 -: > > A new script to store/update a password in the plain text password store > > > > * tools/client-side/store-plaintext-password.py > > As above > > > > Discussed on dev@: > https://lists.apache.org/thread/jfd0f5n2qpgnyc30dst6ycnkphcwf6mm > > > > Added: > > subversion/trunk/tools/client-side/store-plaintext-password.py > (with props) > > Presumably, now that it's been added, we should link it from somewhere > to make it discoverable by users? Ah yes, it is on my todo list to link to it from the FAQ [1]. :-) [1] https://subversion.apache.org/faq.html#plaintext-passwords Cheers, Nathan
Re: svn commit: r1902590 - /subversion/trunk/tools/client-side/store-plaintext-password.py
dsahlb...@apache.org wrote on Fri, Jul 08, 2022 at 23:39:14 -: > A new script to store/update a password in the plain text password store > > * tools/client-side/store-plaintext-password.py > As above > > Discussed on dev@: > https://lists.apache.org/thread/jfd0f5n2qpgnyc30dst6ycnkphcwf6mm > > Added: > subversion/trunk/tools/client-side/store-plaintext-password.py (with > props) Presumably, now that it's been added, we should link it from somewhere to make it discoverable by users? Cheers, Daniel (I have reviewed the changes you mentioned on dev@ and have no comments.)