[Python-Dev] PEP: Migrating the Python CVS to Subversion

[Barry Warsaw]

On Fri, 2005-07-29 at 00:44, "Martin v. Löwis" wrote:

> - assignment of passwords. This I don't like about the current
>   pydotorg setup - there should be a way to chose your own password;
>   perhaps without involving an administrator.
>   I could imagine a web form for password change, and administrator
>   interaction in case of a lost password.

I disagree.  By reserving password generation to the pydotorg admins, we
can better insure the passwords are more robust against dictionary
attacks.  See my previous message.  I actually /don't/ want individuals
to be able to set their own passwords.  In practice, you only have to
know your password once, because svn caches the authentication (yes,
that opens up opportunities for compromise, but that's how svn works).

> - compromised passwords. The only tricky question then is: was the
>   repository altered? Fortunately, for Subversion, there should be
>   an easy way to tell: in fsfs, files never change (only new files
>   are added). So we could generate md5sums of all files in the
>   repository, and download these to an offsite place. If the md5sum
>   of an immutable file changes, we were compromised (there are,
>   of course, a few files that do change regularly).
>   Of course, we also need regular backups of the entire data
>   so we can restore them if they got compromised.

+1 to all that.
-Barry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.python.org/pipermail/python-dev/attachments/20050729/8aca20dc/attachment-0001.pgp