Webware for Python

I am new to this list, as I just started playing with Webware, but my
opinion (if it has any value to anyone here) is that you should just ask for
a password on install and not worry about generating them. If there is going
to be a password involved somewhere I DEFINITELY want to be told that
explicitly and be able to assign it myself during the install process.

Security minded people will just change your password anyway, as they will
have their own scheme for doing such things. Many others will either be
frustrated by not knowing how to change it - not remembering a complicated
generated default - or leaving themselves wide open by continuing to use any
easy to remember default value. Default passwords of any sort (generated or
static) do not add value for any sort of user I can imagine. They make the
worse case scenario worse and the best case scenario no better.

--Sean Hastings
--mailto:sean@...
--vmsg/fax:1.800.why.sean

> -----Original Message-----
> From: webware-discuss-admin@...
> [mailto:webware-discuss-admin@... Behalf Of Chuck
> Esterbrook
> Sent: Monday, April 23, 2001 11:00 AM
> To: Graham Hughes; webware-discuss@...
> Subject: Re: [Webware-discuss] Password change on install
>
>
> At 10:24 AM 4/23/2001 -0700, Graham Hughes wrote:
> >But then the keyspace is too small.  There are only five (maybe six)
> >vowels and 20-21 consonants depending on how you count them; assuming
> >that you have 4 vowels and 4 consonants there are only 10^4 * 42^4 = 3
> >* 10^10 possible passwords, as compared to the 92^8 = 5 * 10^15
> >possible passwords possible with unrestricted printable characters.
> >
> >There were three attacks on password generators on Bugtraq last week,
> >including RedHat's mkpasswd if memory serves, all because they use a
> >restricted keyspace instead of the full one--I got personally bit by
> >one of those and had to change all my passwords because they had
> >suddenly become weak.  I would advise not going that direction :).
>
> We could take the argument further and say that 8 chars is not enough. Or
> 20, 50, 100...
>
> The other extreme is to have a 1 character password.
>
> Obviously both extremes are too extreme, so my question is: at
> what number
> of combinations is a password considered "strong"?
>
> -Chuck
>
>
> _______________________________________________
> Webware-discuss mailing list
> Webware-discuss@...
> http://lists.sourceforge.net/lists/listinfo/webware-discuss
>

Re: [Webware-discuss] Password change on install From: Chuck Esterbrook <echuck@mi...> - 2001-04-23 19:52 At 12:21 PM 4/23/2001 -0700, Graham Hughes wrote: ><warning: very technical discussion follows> I read your entire discussion and I hope I didn't miss this in the details, but when you are computing the number of password attempts that you can make, is this given the idea that you have local file system access or that you have to try them via an HTTP POST to the site? In the case of an HTTP POST, it seems like there would be 2 mitigating factors: - the time span for trying N passwords goes up substantially - the server can be augmented to deny admin login requests from IPs if too many are received in too short a time, coupled with an e-mail to the admin about the attack And speaking of encryption, that's another issue. So let's summarize WebKit admin password issues: - encryption - do this? - if so, how? - must work on UNIX & Windows - autogenerate password - by how much, if any, can we simplify the result set to make it easier to remember? - password restrictions - should WebKit refuse to launch if restrictions aren't met on the password? - min length - variety of characters - illegal characters? (high bit for example) - anything else? Sounds like the roots of a PEP. Maybe we can all build it together. BTW I'm not even close to a security expert. Just a software developer who brushes up against security issues every once in a while. Please feel free to expand or comment on my list and thoughts. -Chuck

RE: [Webware-discuss] Password change on install From: Chuck Esterbrook <echuck@mi...> - 2001-04-23 20:14 At 12:50 PM 4/23/2001 -0700, Sean Hastings wrote: >I am new to this list, as I just started playing with Webware, but my >opinion (if it has any value to anyone here) is that you should just ask for >a password on install and not worry about generating them. If there is going >to be a password involved somewhere I DEFINITELY want to be told that >explicitly and be able to assign it myself during the install process. > >Security minded people will just change your password anyway, as they will >have their own scheme for doing such things. Many others will either be >frustrated by not knowing how to change it - not remembering a complicated >generated default - or leaving themselves wide open by continuing to use any >easy to remember default value. Default passwords of any sort (generated or >static) do not add value for any sort of user I can imagine. They make the >worse case scenario worse and the best case scenario no better. If people can't remember a generated password that is secure but complicated, and they leave themselves insecure with a generated basic password then...aren't these the same problems they would have if they typed in the password themselves? In other words, the questions about password length, potential chars etc. are still important to at least know about and have the server either enforce or warn about. We can certainly provide for asking people for a password at install time. But we could also give them a suggested default that we have determined is fairly secure. Finally, all these issues are also important for UserKit, so they need to be hashed out. (Does that constitute a pun?) -Chuck

Re: [Webware-discuss] Password change on install From: Graham Hughes <graham@ly...> - 2001-04-23 21:05 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck Esterbrook <echuck@...> writes: > At 12:21 PM 4/23/2001 -0700, Graham Hughes wrote: > ><warning: very technical discussion follows> >=20 > I read your entire discussion and I hope I didn't miss this in the > details, but when you are computing the number of password attempts > that you can make, is this given the idea that you have local file > system access or that you have to try them via an HTTP POST to the > site? You are correct here: I am assuming that somebody has snatched /etc/passwd (or /etc/shadow in these enlightened days) and is trying to reverse your passwords. Doing this over the network is basically infeasible due to latency and bandwidth constraints, let along that it is totally trivial to discover. There are much easier attacks over the network than password reversal, but password reversal is typically what happens next after breaking in somehow over the network--so if I got a local shell due to an apache hole or something, then I could grab the passwords and reverse them and crack root. The other reason to attack passwords is most people use the same passwords in multiple contexts, so one reversal may help you out a great deal. The most obvious situation I can think of where this sort of attack would matter would be breaking into the FTP account belonging to one of my users and grabbing a .htpasswd from somewhere on the web site, then reversing it; alternatively breaking into my database and dicking around with it there. My previous analysis was slanted toward system accounts; at present Webware stores the password in plaintext anyway and brute forcing over the network is not going to be useful, so I don't think it penalizes you much given the present architecture by going with a restricted keyspace; having no set default password would help with the Piranha problem RedHat had a while back. However, you mention encryption later, and I discuss some consequences there. > In the case of an HTTP POST, it seems like there would be 2 mitigating fa= ctors: > - the time span for trying N passwords goes up substantially > - the server can be augmented to deny admin login requests from IPs > if too many are received in too short a time, coupled with an e-mail > to the admin about the attack True, certainly. One hurdle for denying login requests is the ubiquitous AOL proxy issue; AOL customers all appear to come from one of a small number of proxy servers, and the act of denying logins from one of those servers is not a small deal. > And speaking of encryption, that's another issue. >=20 > So let's summarize WebKit admin password issues: Some comments: > - encryption > - do this? > - if so, how? > - must work on UNIX & Windows If you are going to encrypt the password, you are anticipating that the attacker has read access to the Webware configuration file; there may be other security isuses with this. Further the admin interface password is not currently powerful enough to justify the two weeks of compute time it would take for me to break it. On the other hand if people are permitted to change it to whatever they like, there is a very strong probability that those passwords are used elsewhere, and so perhaps it is worth the two weeks to break it. If the admin pw is valuable, then straight MD5 is way too fast for these purposes; however, it is a standard Python library (md5), as is SHA-1 (sha). crypt itself is only on Unix. The PAM people have a way of using MD5 that is deliberately slow that might be useful; basically they run it about a thousand times with slightly permuted data. I have not checked whether this method is published anywhere. This requires no changes to MD5 itself, which means you can use the standard Python library, and for the act of checking one password the speed hit is mostly insignificant--34 ms on a 60 MHz Pentium. > - autogenerate password > - by how much, if any, can we simplify the result set to make > it easier to remember? This will not make things weaker. It can make them stronger. There are better algorithms than vowel-consonant-vowel-consonant for pronouncable passwords that may be worthwhile. I think that, especially if MD5 or SHA-1 is to be used, that it is foolish to restrict the keyspace more than trivially, as those algorithms are entirely too fast. Alternatively the proposed keyspace could be used if it was longer than 8 characters. 22 is probably excessive, but I could see 12 being perhaps justifiable, and for the people that this irritates they have the ability to change the password anyway. > - password restrictions > - should WebKit refuse to launch if restrictions aren't met > on the password? Arguably no. This would require that WebKit get the plaintext password, which means you are vulnerable to some random person getting the plaintext password, which is bad. Further, if WebKit can get the plaintext password then you don't have to spend two weeks of computer time cracking the password, as the way of getting into the back door is of course published openly. Using a cryptographic hash prevents this kind of reversal, permitting only brute force. Further it is arguably antisocial to prevent people from running with weak passwords if they really want to; considering that to get a weak password someone would have to override the system generated one, this is probably acceptable. > - min length > - variety of characters > - illegal characters? (high bit for example) It should be noted that Unix passwords are restricted to 94 characters because that is about as many printable characters as are defined in 7 bit ASCII; since nobody agrees completely on what the high bits are supposed to be, let alone how to type the bastards in, it's probably not a bad idea to generate them--but who are we to prevent some Frenchman from using =E9 in a password, eh? > - anything else? > Sounds like the roots of a PEP. Maybe we can all build it together. Certainly might be a useful component in the standard library. > BTW I'm not even close to a security expert. Just a software developer > who brushes up against security issues every once in a while. Please > feel free to expand or comment on my list and thoughts. Thanks; I'm something of a professional paranoid, but even then my job title is `Programmer'. - --=20 Graham Hughes <graham@...> PGP fingerprint: 1F1D 0027 B835 E114 3F5B 2C7C 64D1 83A0 C5C7 312A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnu= pg.org/> iD8DBQE65JkFZNGDoMXHMSoRAr6gAJ4zkA3NXGN9Gx5FnwnMaPTiLrxFzgCgsmj+ ar6wAHEHxrT4owTrmRJ/IZo=3D =3DJlB+ -----END PGP SIGNATURE-----

Re: [Webware-discuss] Password change on install From: Dillon Jones <mrlocomojo@ya...> - 2001-04-24 01:46 fyi - As I see it, we are discussing two different issues: 1) generating an admin password rather than having a default, and 2) the security of the admin password For now, you increase the security of WebWare by an order of magnitude if you only address (1). No argument that the password storage model needs work, but to simply ensure that an attacker doesn't *by default* know your admin password is fundamental. You could query for a password, but I think Chuck wants to stay away from an interactive install script, where replies are required. As to the ease of memorizing the password, tell the user at install time where it's located so he/she can change it. Who cares if it's easy to remember? If the user doesn't like the generated password, they will make one they do like. I've had trouble using some printable characters in passwords, esp "#" and "%", so I prefer not to use them in generation schemes. Here's a quick-and-dirty password generator that will give you a mixed-case, semi-pronounceable (consonant followed by vowel) word every time, beginning with a digit, ending with a non-alphanumeric: ========begin========== #!/usr/bin/python from whrandom import randrange def randCase(ltr): import string if randrange(0,99999999) % 2 == 0: return ltr else: return(string.upper(ltr)) def randCH(chTbl=["a", "b", "c"]): import re n = len(chTbl) v = chTbl[randrange(0,99999999) % n ] if re.match(r'[a-zA-Z]+$',v): return randCase(v) else: return v def legPW(pwLen=8): vTbl=["a", "e", "i", "o", "u"] cTbl=["b", "c", "d", "f", "g", "h", "j", "k", "l", "m", "n", "p", "q", "r" "s", "t", "v", "x", "z"] xTbl=["!", "@", "$", "*", "(", ")", "+", "'", "~", "^"] i = 1 # res="" res="%i" % randrange(0,9) i = i + 1 while i: if i == pwLen: break res=res+randCH(vTbl) i = i + 1 if i == pwLen: break res=res+randCH(cTbl) i = i + 1 if i == pwLen: break res=res+randCH(xTbl) return res print legPW() ========begin========== Next thing to do is to disallow access to the admin page from a specific address after x failed attempts. -- fdj

RE: [Webware-discuss] Password change on install From: Sean Hastings <whysean@ww...> - 2001-04-24 03:59 Chuck, > Finally, all these issues are also important for UserKit, so they need to > be hashed out. (Does that constitute a pun?) Well you certainly Rijndael over my parade. ;-) One thing to note is that you don't have to worry as much about number of bits of security with a password when you can limit the real-time rate at which passwords can be unsuccessfully tried. While 50 bits of randomness may no longer be sufficient for cipher text, just 25 bits makes a pretty decent password if you can only make 1 guess every few seconds. Super long passwords should not be a necessity. --Sean Hastings --mailto:sean@... --vmsg/fax:1.800.why.sean

Re: [Webware-discuss] Password change on install From: Baruch Even <baruch57@ev...> - 2001-04-24 06:45 On Mon, 23 Apr 2001, Chuck Esterbrook wrote: > So let's summarize WebKit admin password issues: > > - encryption > - do this? > - if so, how? > - must work on UNIX & Windows Whatever you do is not strictly encryption it's more like hashing, since for encryption you need a decrypt key and an encrypt key (mostly they are the same), and having a decrypt key means that it needs to be embedded and so we lose any benefit. The usual solution as was raised already is to hash the password with some salt, that is if the password is 'pw' you add some random stuff, say '432' and then you hash '432pw', you just store the salt with the hashed password and everyone is happy (or not, depending on mood). Unix uses the crypt function which is a convoluted DES running for something like 32 times over and over. This was already shown to be weak, if only for the small keyspace of DES and its fast implementations. As was raised the best solutions we have are MD5 and SHA-1, there was found already some small weakness in MD5 so it might be better to use SHA-1, though this weakness is probably not the hole in the Webware security. > - autogenerate password > - by how much, if any, can we simplify the result set to make it > easier to remember? Any autogenerated password will be fine, this is afterall for the non security conscious admins (they should be abolished, but we can do that later). I think that whatever password is generated it should be fine, assuming its random enough and long enough (8-12 chars should be sufficient). > - password restrictions > - should WebKit refuse to launch if restrictions aren't met on the > password? > - min length > - variety of characters > - illegal characters? (high bit for example) > - anything else? We should not restrict anything, after all this is a local policy, if the admin doesnt want any password then so be it, it's not ours to deal with it. We need to deal with the initial installation and to avoid having a standard hole in the form of a fixed initial password. You have reason to do the password limitation when its user passwords that you deal with, then you should assume that the users are dumb and that they should be protected from themselves lest they harm you. For the record, I'm not a security expert though I'm interested in the field and learned a bit on it. I'm not even a programmer by title, just a Math student, It can be summarized as a-hobbyist-programmer-who-enjoys-many-topics-one-of-them-is-computer-security Anyhow, I've seen that someone posted a pronounceable password generator, Thus I feel free from my obligation to find one :-) Baruch

Re: [Webware-discuss] Password change on install From: Terrel Shumway <tshumway@ic...> - 2001-04-24 07:12 Baruch Even wrote: > this is afterall for the non > security conscious admins (they should be abolished, but we can do that > later). Security has much more to do with policy than with programming. A security concious administrator would prefer to have a the Admin context disabled by default. The Admin context should not even be enabled unless the administrator is cares enough about it to explicitly turn it on. This would be an easy solution: if no password has been set, the Admin context does not load at all, or loads only a single page describing how to set the password. (I think I suggested this once, but I don't remember what the response was.)

Re: [Webware-discuss] Password change on install From: Baruch Even <baruch57@ev...> - 2001-04-24 07:18 On Tue, 24 Apr 2001, Terrel Shumway wrote: > Baruch Even wrote: > > > > this is afterall for the non > > security conscious admins (they should be abolished, but we can do that > > later). > > Security has much more to do with policy than with programming. A security > concious administrator would prefer to have a the Admin context disabled > by default. The Admin context should not even be enabled unless the > administrator is cares enough about it to explicitly turn it on. This > would be an easy solution: if no password has been set, the Admin > context does not load at all, or loads only a single page describing how > to set the password. This is also a good thing to add, but it should be explicit and not implicit from having no password defined. Baruch

Re: [Webware-discuss] Password change on install From: Terrel Shumway <tshumway@ic...> - 2001-04-24 12:21 Baruch Even wrote: > On Tue, 24 Apr 2001, Terrel Shumway wrote: > > The Admin context should not even be enabled unless the > > administrator is cares enough about it to explicitly turn it on. > > This is also a good thing to add, but it should be explicit and not > implicit from having no password defined. The power of this approach is that it is "secure by default." If someone wants to do something stupid, at least they have to think about it. I already CAN turn off Admin if I don't want it. Someone who isn't quite as careful may not even notice that it is on.

Re: [Webware-discuss] Password change on install From: Chuck Esterbrook <echuck@mi...> - 2001-04-24 15:06 At 09:46 PM 4/23/2001 -0400, Dillon Jones wrote: >fyi - > >As I see it, we are discussing two different issues: >1) generating an admin password rather than having a default, and >2) the security of the admin password Agreed. >For now, you increase the security of WebWare by an order of magnitude if >you only address (1). No argument that the password storage model needs >work, but to simply ensure that an attacker doesn't *by default* know >your admin password is fundamental. Agreed. >You could query for a password, but I think Chuck wants to stay away >from an interactive install script, where replies are required. My latest thoughts on this are: * Generate a password and present to the user: --- The app server admin password needs to be set. The password 'atikuker' has been generated for you just now. Press enter to accept or type in your own choice: _ Your password is 'whatever' in WebKit/Configs/Application.config where you can change it in the future. --- * Provide a --pwd-prompt=no command line option to skip the prompt. * Do not generate or prompt if the password is something other than '' (which is what you will get out of a fresh CVS). The point here is that I often re-run install.py when I add a new component (in order to get generated docs). You know, for all the Python code I have written, I have never gotten keyboard input before. I think there is an input() or a readline()... -Chuck

Re: [Webware-discuss] Password change on install From: Chuck Esterbrook <echuck@mi...> - 2001-04-24 15:19 At 12:12 AM 4/24/2001 -0700, Terrel Shumway wrote: > > this is afterall for the non > > security conscious admins (they should be abolished, but we can do that > > later). > >Security has much more to do with policy than with programming. A >security concious administrator would prefer to have a the Admin context >disabled by default. The Admin context should not even be enabled unless >the administrator is cares enough about it to explicitly turn it on. This >would be an easy solution: if no password has been set, the Admin context >does not load at all, or loads only a single page describing how to set >the password. > >(I think I suggested this once, but I don't remember what the response was.) I actually don't remember the suggestion so I probably didn't respond. I can't say I'm of the mind that the admin context should be disabled by default. It is protected after all and an admin can disable if he/she likes. My very latest thoughts: - Out of CVS, password is None - This causes install.py to generate and prompt for one - Password can be blank if the user likes - Blank password is '' - The user should be warned if the password doesn't meet some basic safety criteria like minimum length, not using a dictionary word, etc. But we'll save that as a bell and whistle for later. -Chuck

Re: [Webware-discuss] Password change on install From: Dillon Jones <mrlocomojo@ya...> - 2001-04-24 23:25 Final thoughts: Chuck, I think your first instinct to stay away from user prompts is a good one. Perhaps either command line (install --password=asfdsdklj) or it generates. If it generates, it yells at you. *************************************** * ATTENTION WebWare installation has * generated the following password for you. * * saflksdfkdj * * To change your password, either edit the * configuration file, or reinstall with * the --password option * ************************************ Or something like that. I very much like the idea that if install finds a password, it doesn't replace it. Like you, I seldom write user interactive stuff, but here's one I put in my samples directory so I wouldn't have to re-figure it out when it came up: #!/usr/bin/python import os, sys, string print "input:", fred = sys.stdin.readline() print "you entered %s" % fred Note: By final thoughts I meant that these are my final thoughts (for now) on this topic. I did not mean these are my final thoughts, and after I send this email I'm going to die or be frozen cyrogenically. Nor am I going to use some ancient eastern meditation technique to stop thinking. I intend to go on thinking throughout the evening; just not about this. Of course, once one tries to stop thinking about something, it becomes hard to stop thinking about it. Try it: Don't Think About Your Shoes. Heh. Not easy, is it? -- fdj

Re: [Webware-discuss] Password change on install From: Chuck Esterbrook <echuck@mi...> - 2001-04-24 23:59 At 07:24 PM 4/24/2001 -0400, Dillon Jones wrote: >Final thoughts: > >Chuck, I think your first instinct to stay away from user prompts is a >good one. Perhaps either command line (install --password=asfdsdklj) or >it generates. Well, so here's the question: Should Webware's install be interactive or not? I suspect that there are other interactive items that will come up in the future. For example, on Windows we could bring up the documentation with a "start Docs\index.html", but we might want to ask the user first. Far into the future, the Webware might be pretty light and come with a menu of components that can be downloaded and installed. I imagine there could be other things that we haven't thought of. In light of all of this, I was leaning towards allowing it to be interactive (although as convenient as possible; for example you can hit [Enter] to accept the default generated password), but providing optional command line options to avoid the prompts. Now what do you guys think? -Chuck

Re: [Webware-discuss] Password change on install From: Geoff Talvola <gtalvola@me...> - 2001-04-25 14:08 At 07:24 PM 4/24/2001 -0400, Dillon Jones wrote: >Like you, I seldom write user interactive stuff, but here's one I put in >my samples directory so I wouldn't have to re-figure it out when it came up: > > >#!/usr/bin/python >import os, sys, string >print "input:", >fred = sys.stdin.readline() >print "you entered %s" % fred There's also a raw_input builtin function that's designed for keyboard input. It results in shorter code: fred = raw_input("input:") print "you entered %s" % fred - Geoff

Re: [Webware-discuss] Password change on install From: Geoff Talvola <gtalvola@me...> - 2001-04-25 14:11 At 07:57 PM 4/24/2001 -0400, Chuck Esterbrook wrote: >At 07:24 PM 4/24/2001 -0400, Dillon Jones wrote: >>Final thoughts: >> >>Chuck, I think your first instinct to stay away from user prompts is a >>good one. Perhaps either command line (install --password=asfdsdklj) or >>it generates. > >Well, so here's the question: Should Webware's install be interactive or not? > >I suspect that there are other interactive items that will come up in the >future. For example, on Windows we could bring up the documentation with a >"start Docs\index.html", but we might want to ask the user first. > >Far into the future, the Webware might be pretty light and come with a >menu of components that can be downloaded and installed. > >I imagine there could be other things that we haven't thought of. > >In light of all of this, I was leaning towards allowing it to be >interactive (although as convenient as possible; for example you can hit >[Enter] to accept the default generated password), but providing optional >command line options to avoid the prompts. > >Now what do you guys think? > >-Chuck I like your suggestion -- interactive, with the option to run in non-interactive mode using command-line args. That's how standard installer programs work on Windows and it works out nicely there. - Geoff

Re: [Webware-discuss] Password change on install From: Terrel Shumway <tshumway@ic...> - 2001-04-25 15:18 Geoff Talvola wrote: > At 07:24 PM 4/24/2001 -0400, Dillon Jones wrote: > >Like you, I seldom write user interactive stuff, but here's one I put in > >my samples directory so I wouldn't have to re-figure it out when it came up: > > > > > >#!/usr/bin/python > >import os, sys, string > >print "input:", > >fred = sys.stdin.readline() > >print "you entered %s" % fred > > There's also a raw_input builtin function that's designed for keyboard > input. It results in shorter code: > > fred = raw_input("input:") > print "you entered %s" % fred raw_input is fine for clear text, but I thought this was about passwords? http://www.python.org/doc/current/lib/module-getpass.html

interactive (Re: [Webware-discuss] Password change on install) From: Terrel Shumway <tshumway@ic...> - 2001-04-25 15:34 Geoff Talvola wrote: > At 07:57 PM 4/24/2001 -0400, Chuck Esterbrook wrote: > >In light of all of this, I was leaning towards allowing it to be > >interactive (although as convenient as possible; for example you can hit > >[Enter] to accept the default generated password), but providing optional > >command line options to avoid the prompts. > > > I like your suggestion -- interactive, with the option to run in > non-interactive mode using command-line args. > > That's how standard installer programs work on Windows and it works out > nicely there. It would be nice to come up with a declarative Model of the data that needs to be gotten, something along the lines of xforms[1]. Then the front end can vary without the hackishness of some gui-wrapped-around-a-console-app solutions in use (linux kernel xmenuconfig comes to mind). It also supports the completely non-interactive mode quite well. This library would also be useful for the server startup script. -- Terrel ---- [1] http://www.w3.org/TR/xforms/

Re: [Webware-discuss] Password change on install From: Geoff Talvola <gtalvola@me...> - 2001-04-25 16:12 At 08:18 AM 4/25/2001 -0700, Terrel Shumway wrote: >raw_input is fine for clear text, but I thought this was about passwords? > >http://www.python.org/doc/current/lib/module-getpass.html You're right, getpass is definitely the way to go. - Geoff

[Webware-discuss] Preformance of CVS Webware version? From: Tom Schwaller <tom.schwaller@we...> - 2001-04-25 16:52 Was out of town for a week and just did a CVS checkout of Webware to synchronize. As usual I run ab -n 100 -c 2 "start URL of webware" and noticed a really bad performance (25 Hits per second compared to 60 I had before. ShowTime even had 16 hits per second!). Can somebody confirm this numbers? Something strange happend here... -- Tom Schwaller tschwaller@... http://www.python.de

Re: [Webware-discuss] Preformance of CVS Webware version? From: Terrel Shumway <tshumway@ic...> - 2001-04-25 17:36 Tom Schwaller wrote: > Was out of town for a week and just did > a CVS checkout of Webware to synchronize. > As usual I run ab -n 100 -c 2 "start URL of webware" > and noticed a really bad performance (25 Hits per second > compared to 60 I had before. ShowTime even had 16 hits per second!). > Can somebody confirm this numbers? > Something strange happend here... I haven't tested it myself, but Jay checked in the streaming writes recently. That would be a prime suspect.

Re: [Webware-discuss] Preformance of CVS Webware version? From: Chuck Esterbrook <echuck@mi...> - 2001-04-26 01:30 At 10:37 AM 4/25/2001 -0700, Terrel Shumway wrote: >Tom Schwaller wrote: > > > Was out of town for a week and just did > > a CVS checkout of Webware to synchronize. > > As usual I run ab -n 100 -c 2 "start URL of webware" > > and noticed a really bad performance (25 Hits per second > > compared to 60 I had before. ShowTime even had 16 hits per second!). > > Can somebody confirm this numbers? > > Something strange happend here... > >I haven't tested it myself, but Jay checked in the streaming writes >recently. That would be a prime suspect. Yeah, I think the new streaming is definitely the problem. We need to comb over this code and shake it out since it's new. But the idea is a valid one: deliver the response as it gets written rather than waiting until the end. We just need to groom it. Thanks for catching this Tom. Automated nightly benchmarking is another TO DO item that isn't DONE, so we need to be vigilant. -Chuck

Re: [Webware-discuss] Preformance of CVS Webware version? From: Tom Schwaller <tom.schwaller@we...> - 2001-04-26 23:57 Chuck Esterbrook wrote: > > At 10:37 AM 4/25/2001 -0700, Terrel Shumway wrote: > >Tom Schwaller wrote: > > > > > Was out of town for a week and just did > > > a CVS checkout of Webware to synchronize. > > > As usual I run ab -n 100 -c 2 "start URL of webware" > > > and noticed a really bad performance (25 Hits per second > > > compared to 60 I had before. ShowTime even had 16 hits per second!). > > > Can somebody confirm this numbers? > > > Something strange happend here... > > > >I haven't tested it myself, but Jay checked in the streaming writes > >recently. That would be a prime suspect. > > Yeah, I think the new streaming is definitely the problem. We need to comb > over this code and shake it out since it's new. But the idea is a valid > one: deliver the response as it gets written rather than waiting until the > end. We just need to groom it. > > Thanks for catching this Tom. Automated nightly benchmarking is another TO > DO item that isn't DONE, so we need to be vigilant. yes, indeed. I was quite shocked to see this. I hope I can move python.de soon now, where I will run this kind of test suite nightly. Concerning performance I wanted to know how fast Java/JSP/Servlets are on my machine and installed Tomcat (http://onjava.com/lpt/a/780) today. It takes a long time to start, writing even the simplest example is a nightmare, but it is damn fast (I would say the fastest framework I ever tested. Just wonder how this is possible??) -- Tom Schwaller tschwaller@... http://www.python.de

Re: [Webware-discuss] Preformance of CVS Webware version? From: Chuck Esterbrook <echuck@mi...> - 2001-04-27 00:55 At 02:05 AM 4/27/2001 +0200, Tom Schwaller wrote: >yes, indeed. I was quite shocked to see this. I hope >I can move python.de soon now, where I will run >this kind of test suite nightly. > >Concerning performance I wanted to know how fast >Java/JSP/Servlets are on my machine and installed >Tomcat (http://onjava.com/lpt/a/780) today. >It takes a long time to start, writing even the >simplest example is a nightmare, but it is damn fast >(I would say the fastest framework I ever tested. >Just wonder how this is possible??) I don't know, but my biggest concern short term is getting WebKit's speed back to what it was before. My impression of previous versions of WebKit were that they were "plenty fast enough". I haven't seen a problem in development with the new stuff, but then I wouldn't because I'm just one user. -Chuck

Re: [Webware-discuss] Preformance of CVS Webware version? From: Jay Love <jsliv@js...> - 2001-04-28 18:55 Don't worry guys, this is the initial implementation, it hasn't been tuned for speed at all. I want to get the architecture right first. So let's get some comments on that first. Jay Chuck Esterbrook wrote: > At 02:05 AM 4/27/2001 +0200, Tom Schwaller wrote: > >> yes, indeed. I was quite shocked to see this. I hope >> I can move python.de soon now, where I will run >> this kind of test suite nightly. >> >> Concerning performance I wanted to know how fast >> Java/JSP/Servlets are on my machine and installed >> Tomcat (http://onjava.com/lpt/a/780) today. >> It takes a long time to start, writing even the >> simplest example is a nightmare, but it is damn fast >> (I would say the fastest framework I ever tested. >> Just wonder how this is possible??) > > > I don't know, but my biggest concern short term is getting WebKit's > speed back to what it was before. My impression of previous versions > of WebKit were that they were "plenty fast enough". > > I haven't seen a problem in development with the new stuff, but then I > wouldn't because I'm just one user. > > > -Chuck > > > _______________________________________________ > Webware-discuss mailing list > Webware-discuss@... > http://lists.sourceforge.net/lists/listinfo/webware-discuss

1 message has been excluded from this view by a project administrator.

Next Messages