[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnump3d-users] New release ..

From: Steve Kemp
Subject: [Gnump3d-users] New release ..
Date: Tue, 16 Oct 2007 16:32:42 +0100
User-agent: mutt-ng/devel-r804 (Debian)

  Good news;  New release is imminent.

  Bad news:  Password authentication is going away completely.


  The idea of password authentication was born back when I first
 started releasing the project and happened to notice that I could
 find many public servers which were open to the internet.

  I figured this was probably a bad idea, and that there should be
 a way to stop it.

  I went about this in two ways:

    1.  Added a password protection.

    2.  Added IP-based restrictions.

  The later work, work well, and are going to continue to be supported.

  The former is mostly broken.  Why?  Because the simple fact is that
 MP3 clients do not support auth (or if they do then very very rarely).
 This suggests one of two things:

    1.  That passwords shouldn't be mandatory for .mp3/.m3u files.

    2.  That the playlists should be smarter.
       (eg.  http://foo:8888/passhash/file.mp3, rather than just

  The former is what I went for.  In retrospect this was a mistake.
 I should have placed a hash of the password in the playlists which
 are generated - thus seamlessly getting password support for clients.

  Instead I elected to allow music clients to fetch files without
 passwords and to be honest the protection that is left is not great.

  The previous release included a new hashing mechanism, so I'm sorry
 to remove it, but the simple fact is that the password protection is
 not robust enough to be reliable and most of the support mails I
 receive are related to it in some way.

Why now?

  Another hole was disclosed.  If you telnet to your GNUMP3d server
 and type:

   GET / HTTP/1.0

  All looks good.  You'll get a 403 header back.

  Now try this instead

  GET /

  No password prompt.


The Future

  So despite the previous release being final this time I'm going to
 have to release an update.   This will have three changes:

    1.  Remove password auth.

    2.  Remove the split warning.

    3.  Update the version number to 3.0

    4.  Remove /bug/  (which reports to me by email).

  I do still intend to rewrite the code in a better fashion, but that
 has stalled.  Again.  If people wish to commit to working on it with
 me that would be useful...  Otherwise it'll probably happen very very
 very slowly, or not at all.
# Commercial Debian GNU/Linux Support

Attachment: pgpA0KVRg5B5M.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]