pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/www/py-moin



Module Name:    pkgsrc
Committed By:   wiz
Date:           Mon Jan 20 20:17:05 UTC 2014

Modified Files:
        pkgsrc/www/py-moin: Makefile PLIST distinfo

Log Message:
Update to 1.9.7:

Version 1.9.7:
  SECURITY HINT: make sure you have allow_xslt = False (or just do not use
  allow_xslt at all in your wiki configs, False is the internal default).
  Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.

  HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.

  New features:
  * passlib support - enhanced password hash security. Special thanks go to
    the Python Software Foundation (PSF) for sponsoring development of this!

    Docs for passlib: http://packages.python.org/passlib/

    If cfg.passlib_support is True (default), we try to import passlib and set
    it up using the configuration given in cfg.passlib_crypt_context (default
    is to use sha512_crypt with default configuration from passlib).

    The passlib docs recommend 3 hashing schemes that have good security, but
    some of them have additional requirements:
    sha512_crypt needs passlib >= 1.3.0, no other requirements.
    pbkdf2_sha512 needs passlib >= 1.4.0, no other requirements.
    bcrypt has additional binary/compiled package requirements, please refer to
    the passlib docs.

    cfg.password_scheme should be '{PASSLIB}' (default) to tell that passlib is
    wanted for new password hash creation and also for upgrading existing
    password hashes.

    For the moin code as distributed in our download release archive, passlib
    support should just work, as we have passlib 1.6.1 bundled with MoinMoin
    as MoinMoin/support/passlib. If you use some other moin package, please
    first check if you have moin AND passlib installed (and also find out the
    passlib version you have installed).

    If you do NOT want to (not recommended!) or can't use (still using python
    2.4?) passlib, you can disable it your wiki config:

        passlib_support = False  # do not import passlib
        password_scheme = '{SSHA}'  # use best builtin hash (like moin < 1.9.7)

    Please note that after you have used moin with passlib support and have user
    profiles with passlib hashes, you can't just switch off passlib support,
    because if you did, moin would not be able to log in users with passlib
    password hashes. Password recovery would still work, though.

    password_scheme always gives the password scheme that is wanted for new or
    recomputed password hashes. The code is able to upgrade and downgrade hashes
    at login time and also when setting / resetting passwords for one or all
    users (via the wiki web interface or via moin account resetpw script
    command).

    So, if you want that everybody uses strong, passlib-created hashes,
    resetting the passwords for all users is strongly recommended:
    First have passlib support switched on (it is on by default), use
    password_scheme = '{PASSLIB}' (also default), then reset all passwords.

    Same procedure can be used to go back to weaker builtin hashes (not
    recommended): First switch off passlib support, use password_scheme =
    '{SSHA}', then reset all passwords.

    Wiki farm admins sharing the same user_dir between multiple wikis must use
    consistent password hashing / passlib configuration settings for all wikis
    sharing the same user_dir. Using the builtin defaults or doing the
    configuration in farmconfig.py is recommended.

    Admins are advised to read the passlib docs (especially when experiencing
    too slow logins or when running old passlib versions which may not have
    appropriate defaults for nowadays):
    http://packages.python.org/passlib/new_app_quickstart.html#choosing-a-hash
    
http://packages.python.org/passlib/password_hash_api.html#choosing-the-right-rounds-value

  * Password mass reset/invalidation support, see docs/resetpw/.
    This is useful to make sure everybody sets a new password and moin computes
    the password hash using the current configuration.

  * Customizable default password checker:
    Moin's default password checker used and still uses min_length=6 (minimum pw
    length) and min_different=4 (minimum count of different chars in the 
password).
    If you feel that you need to require better passwords from your users, you
    can customize it now like that in your wiki config:

    password_checker = lambda cfg, request, name, pw: 
multiconfig._default_password_checker(cfg, request, name, pw, min_length=10, 
min_different=7)

  * Removing/disabling inactive users (moin ... account inactive)
    Many wikis have a lot of inactive users, that never ever made a single edit.
    See help of the command for more details, be careful.
  * SystemAdmin user browser: show disabled user accounts at the bottom of
    the list
  * At startup, announce moin version and code path in log output (makes
    support and debugging easier).
  * AttachList: introduced search_term parameter (optional) for listing
    attachments filtered by a regular expression on their name.
  * sign release archive using GnuPG with the key of 
tw%waldmann-edv.de@localhost
    ID 31A6CB60 (main key ID FAF7B393)

  Fixes:
  * logging: if the logging config file can't be read, give a helpful error msg
  * logging: use info loglevel (not warning) for telling about using the builtin
    default logging config
  * moin script commands: warn if someone gave ... to the moin script, avoids a
    strange and unhelpful 'empty module name' error message
  * reorder html input fields in recoverpass form, to help browsers remember
    the user name and password (not erroneously the recovery token and password)
  * don't try to send password recovery email to user if email address in
    user profile is empty
  * cache action: fix 304 http status
  * rst parser: fix safe_import for level param in __import__ call of docutils 
0.10
  * moin maint cleancache: also kill the i18n cache 'meta' pickle file
  * sendmail: catch unicode errors when E-Mail addr has non-ascii chars
  * redirect last visited: if last visited page is on same wiki, use a local
    redirect, do not compute via interwiki map (fixes https: usage)


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 pkgsrc/www/py-moin/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/py-moin/PLIST
cvs rdiff -u -r1.10 -r1.11 pkgsrc/www/py-moin/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.




Home | Main Index | Thread Index | Old Index