[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnump3d-users] New release ..
From: |
Steve Kemp |
Subject: |
[Gnump3d-users] New release .. |
Date: |
Tue, 16 Oct 2007 16:32:42 +0100 |
User-agent: |
mutt-ng/devel-r804 (Debian) |
Good news; New release is imminent.
Bad news: Password authentication is going away completely.
Justification
-------------
The idea of password authentication was born back when I first
started releasing the project and happened to notice that I could
find many public servers which were open to the internet.
I figured this was probably a bad idea, and that there should be
a way to stop it.
I went about this in two ways:
1. Added a password protection.
2. Added IP-based restrictions.
The later work, work well, and are going to continue to be supported.
The former is mostly broken. Why? Because the simple fact is that
MP3 clients do not support auth (or if they do then very very rarely).
This suggests one of two things:
1. That passwords shouldn't be mandatory for .mp3/.m3u files.
2. That the playlists should be smarter.
(eg. http://foo:8888/passhash/file.mp3, rather than just
http://foo:8888/file.mp3).
The former is what I went for. In retrospect this was a mistake.
I should have placed a hash of the password in the playlists which
are generated - thus seamlessly getting password support for clients.
Instead I elected to allow music clients to fetch files without
passwords and to be honest the protection that is left is not great.
The previous release included a new hashing mechanism, so I'm sorry
to remove it, but the simple fact is that the password protection is
not robust enough to be reliable and most of the support mails I
receive are related to it in some way.
Why now?
---------
Another hole was disclosed. If you telnet to your GNUMP3d server
and type:
GET / HTTP/1.0
All looks good. You'll get a 403 header back.
Now try this instead
GET /
No password prompt.
:(
The Future
----------
So despite the previous release being final this time I'm going to
have to release an update. This will have three changes:
1. Remove password auth.
2. Remove the split warning.
3. Update the version number to 3.0
4. Remove /bug/ (which reports to me by email).
I do still intend to rewrite the code in a better fashion, but that
has stalled. Again. If people wish to commit to working on it with
me that would be useful... Otherwise it'll probably happen very very
very slowly, or not at all.
Steve
--
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/
pgpA0KVRg5B5M.pgp
Description: PGP signature
- [Gnump3d-users] New release ..,
Steve Kemp <=