On 5/12/09 11:54 AM, Hanno Schlichting wrote:
> Chris McDonough wrote:
>> I think this package is becoming less "repoze.zope2" than some other more
>> experimental system. Which is fine. But there's no way I'm going to be able
>> to give people help with it on IRC or the maillist when it breaks b
Chris McDonough wrote:
> I added some more test coverage on the trunk. It's still pretty poor right
> now.
Awesome!
I'll try to improve the coverage after getting some more documentation
for my latest changes in.
Hanno
___
Repoze-dev mailing list
Re
On Tue, May 12, 2009 at 11:13 PM, Paul Johnston wrote:
> I noticed that AuthTktCookiePlugin does not check the timestamp. This
> is a problem actually, it makes the cookie a "password equivalent" and
> negates most of the benefits of hashing the password. I realise apps
> could check the timestamp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris McDonough wrote:
> On 5/12/09 12:00 PM, Malthe Borch wrote:
>> 2009/5/12 Chris McDonough:
>>> If we ever do release an 80%-compatible publisher replacement, we should
>>> call it
>>> something other than "repoze.zope2".
>> I doubt if we're reall
On May 13, 2009, at 3:40 PM, Tres Seaver wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Chris McDonough wrote:
>> On 5/12/09 12:00 PM, Malthe Borch wrote:
>>> 2009/5/12 Chris McDonough:
If we ever do release an 80%-compatible publisher replacement, we
should call it
Reed O'Brien wrote:
> On May 12, 2009, at 12:17 PM, Chris McDonough wrote:
>> If we can't afford this (and I sure can't personally), I'm not sure
>> what we'd
>> end up calling it. plone.dot.someting? zope.dot.something?
>
> ymmv.zope2
LOL! It would be a commitment to never commit to anythin
Paul Johnston wrote:
> By default, passwords are stored in the database without a salt. Usual
> practice is to use a salt, to make things harder for an attacker, just
> in case your password database is captured. The scheme I favor is
> storing hmac_sha1(hmac_sha1(master_salt, user_name), password)
