From: Stefan Sperling Subject: Re: initial gotd-secrets.conf implementation To: Omar Polo Cc: gameoftrees@openbsd.org Date: Sat, 7 Sep 2024 22:11:53 +0200 On Sat, Sep 07, 2024 at 05:01:42PM +0200, Omar Polo wrote: > This is a first implementation of the mechanism discusse in the 'RFC: > secrets for gotd' thread. The overall idea is to move the > authentication data (username and password) for HTTP notifications in a > separate file, and the HMAC secret too. > > This different file, gotd-secrets.conf, is meant to be root-owned, > unlike gotd.conf which has to be world-readable for gitwrapper to work. > > What's still missing: > > - checking the permissions on the file > - improving the documentation > > We're also currently using the username as "key" in gotd.conf, which is > fine but slightly annoying since we might want to have multiple > notifications that are using the same username but different password. > This is something that I've overlooked in the RFC thread and only > realized while implementing it. Indeed, which should adjust things to solve this problem. Ideally we'll nail this down before shipping another release, such that this problem only ever exists in development versions. > Still, this is a starting point and we > can improve in tree I believe. Yes, agreed. Ok by me. I would prefer to avoid linking secrets.c into gitwrapper, but we can fix that later. This might require running a separate binary to parse the secrets file, or perhaps just moving some mfunctions to different .c files will be enough.