On Apr 7, 2009, at 9:03 AM, John Hampton wrote:
> > Noah Kantrowitz wrote: >> On Apr 7, 2009, at 8:44 AM, John Hampton wrote: >> >>> Noah Kantrowitz wrote: >>>> If they have no password backend configured, not form-based auth. >>>> No >>>> need for extra options. >>> ATM, it uses the SessionStore backend as a default. One need not >>> configure anything to have it work. >>> >>> I suppose that we could have initenv set this default (along with >>> prompting for a TRAC_ADMIN username and password). >> >> Thats a very bad default. It anything it should be using htpasswd >> as a >> default. SessionStore is an optimization only for the largest of >> sites >> where updating the password file becomes a concurrency issue. No one >> else should ever use it, period. I would make it use htpasswd (with >> conf/passwd as the file) at initenv, and then make it so if you blank >> the config value for the backend it disables the form. > > You're smoking crack Noah! htpasswd files suck. Period. > SessionStore > is not just an optimization for large sites only. It's for anyone > that > doesn't want to bother with an additional password file. It's also > nice > for platforms that don't have crypt (*cough* windows *cough*), or > have a > really crappy command line (*cough* windows *cough*). > > I stand by my decision of using SessionStore as the default password > store. I'll change it so that it only gets set at initenv and if left > blank then form auth is not used as a fall back. > > Re: using htpasswd file, I think it's a horrible idea as a default. > Most people don't want to have to deal with it. Using the > SessionStore > keeps all user related things in the database. This is how most other > systems work and what, I think, most people expect. > > I'd like to hear the opinion of others on this point. SessionStore or > htpasswd file as the default password store for new environments There is nothing to "deal with" if we make it set the file paths correctly. Using sessionstore as teh default is basically a lock-in, since nothing else can use Trac's DB for authentication. Everything understands htpasswd, every web server ever made, and pretty much every tool ever will have an importer. It is a common-denominator format and I will continue to insist we use it as the default. There is nothing wrong with using md5 or sha1 for htpasswd auth, and both of those work fine on Windows. Also not sure how any of this requires a command line when we are talking about GUI tools inside Trac. --Noah --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
