severity 480417 normal tags 480417 = pending thanks On Fri, 09 May 2008 17:25:24 -0400, Sam Hartman writes: >The process environment is public;
that's not correct. (are you maybe mixing this up with the cmdline which is indeed public?) >setting passwords in the >environment is problematic because everyone on a multi-user system can >read them. /proc/NNN/environ is owned by the user running the program and has mode 0600. nobody but the superuser can read this information, which is about as safe as writing the info into ~/.boto (actually it might be slightly safer because the kernel sets the permissions on proc files automatically, so you can't mistakenly do the equivalent of chmod a+r ~/.boto...) >Therefore duplicity really should take advanatge of >python-boto's facility for reading passwords out of config files. it should, indeed, do that... >All that needs to happen is that the check for these environment >variables needs to be removed. ...and the new upstream version 0.4.11 with that change added will be uploaded within an hour or so. regards az -- + Alexander Zangerl + DSA 42BD645D + (RSA 5B586291) Any sufficiently advanced bug is indistinguishable from a feature.
signature.asc
Description: Digital Signature
