On Thu, Mar 31, 2011 at 5:38 AM, Martijn Pieters <m...@zopatista.com> wrote:
> On Wed, Mar 30, 2011 at 15:08, Jim Fulton <j...@zope.com> wrote:
>> We do something similar with sftp (zc.buildoutsftp). To publish eggs,
>> we just use scp.
>> The advantage of this is that it leverages ssh infrastructure, so *no*
>> additional password management is needed. This is wildly better, IMO,
>> than keeping passwords in clear text in your buildout configuration or
>> in a dot file.
> That depends on your deployment scenarios. We generate separate
> passwords per customer, and give them a dedicated URL to load their
> private eggs from, then put the password in the buildout.cfg. To load
> the buildout.cfg in the first place, the exact same password is used.
> Managing SSH accounts and keys for those customers would cost us much
> more overhead, and would complicate our instructions for deployment to
> On the other hand, for deployments of a buildout from a SVN repository
> already served over SSH would make the sftp route the logical choice.
Some customers are too dumb to be secure. OK, makes sense. :)
Seriously, I assume this is a read-only scenario, in which case having
clear-text passwords laying around in prominent places seems less
problematic. If they could write to the repo, then I would still have
serious problems with this approach.
Another approach would be to integrate with some secure key-management
service (keychain) on the customer's machines, but I expect that would
be as painful as helping them figure out ssh.
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -