On 15 June 2014 09:19, John Mark Vandenberg <jayvdb(a)gmail.com> wrote:
We have four sets of cleartext passwords (http &
proxy & db), and secrets
such as various API keys and mw cookies and edit tokens.
The passwords are stored in two files in clear text (user-config.py and.
passwd). Other secrets are in cached api files, etc.
I would like to introduce an optional dependency on a library to manage
(some of?) these secrets. The current secret storage
would continue to work
correctly.
The keyring package is the obvious candidate. Any objections or
improvements on that?
I'm not completely sure how that would work -- I see how it could work as
alternative to ~/.pywikibot, but it might be problematic for people with
multiple checkouts for different usernames/bots. In addition, I'm afraid
this might make the credential storage fairly opaque: you'd need to run
some script to set the password, instead of just editing a config file.
What's the major advantage over a file with 600 permissions? Will it
prevent local administrators from accessing the password? (they could also
just sniff the password from the network traffic...)
One last point: I think cached api files should *not* store passwords. The
exception are the tests, which cache everything to make sure tests run
reasonably fast.
Merlijn