[Cosmo-dev] adding password retrieval to cmp
Jared Rhine
jared at wordzoo.com
Thu Aug 17 09:54:48 PDT 2006
Brian Moseley wrote:
> the foxmarks crew has asked for the ability to retrieve (encrypted)
> user account passwords from cosmo with cmp.
Correction, I asked Todd to open this ticket. This is not a Foxmarks
request, it is a Hosted Service request which has first seen a need in the
largest Cosmo deployment, Foxmarks.
For what it's worth, I first asked for this feature, as early as the first
sticky plan with Brian and Lisa in perhaps Sep/Oct 2005.
> i've been hesitant to add
> this capability since it's such an obvious security issue...
With respect, as a real-world user of server products including Cosmo, I
find it paternalistic when products try to save me from myself,
security-wise, particularly at the expense of correctness. Leave me to
ensure that I use the feature properly, from localhost, over SSL, inside a
private network, or whatever configuration I, as your exalted user, wish (or
need) to deploy.
Without the ability to retrieve passwords during the backup process, it is
not possible to restore properly. As you know, backups which are not
possible to restore are a classic problem. But have you ever personally
felt that pain? While I acknowledge that without the "fetch password"
feature there's SOME utility in a network backup feature, it's annoyingly
limiting and I'd properly say don't bother with the actual network-based
backup features requested by me too.
We've committed more than once to making all possible features available via
network mechanisms, and I've expressed publicly and repeatedly that I very
much would prefer to backup the Hosted Service incrementally and over the
network. I did not know I would need to argue for the ability to restore,
too, but I make that case now.
Please don't argue, "well, you can use mysql hotdumps (someday)". I reject
that argument because 1) it's implementation specific, 2) it forces a
particular set of possible backends, 3) it's still makes backup/restore a
local-only operation when it does not need to be.
> would the feature's existence be a showstopper for
> your deployment of cosmo?
Make the feature's availability contingent on a setting of a property in a
resource file if you feel must, even default to off. That's a reasonable
thing to do and I think the feature would be better for that support.
I urge inclusion of the "fetch password via CMP" feature in the mainline
branch and the next production release.
Thank you.
-- Jared
More information about the cosmo-dev
mailing list