[Zope] Re: [Zope-dev] Introspection, managing External Methods?

[Christopher Petrilli]

>> admin privileges or whatever. I intended no criticism of the zope
>> security model other than 1) the passwords are in a meaningfully named
>> file, 2) the file is unencrypted and 3) there is a standard initial
>> manager login and password. These are not serious holes, but would get
>> you shown the door by the more paranoid.
> ad 3) Ok, changing the standard superuser password is natural. Perhaps it
>       should be random generated.

This will be the case in the first beta release, assuming I don't trip up
and kill myself before the end of the week.  It will use the same algorithm
the binary releases use.

Additionally,the file will store the password in SHA-1 format, which
eventually will propagate into the rest of the system (more on this later
when it's been smoothed out). This does mean that most likely WebDAV won't
work with the superuser account, but then you shouldn't be using the
superuser account, right? :-)

BTW, changing the name is simply obscurity, and well, that won't fly.

Chris
--
| Christopher Petrilli        Python Powered        Digital Creations, Inc.
| petrilli@digicool.com                             http://www.digicool.com