On Wed, Mar 20, 2013 at 08:42:17PM -0400, David Nalley wrote: > On Wed, Mar 20, 2013 at 8:34 PM, Chip Childers > <chip.child...@sungard.com> wrote: > > On Wed, Mar 20, 2013 at 11:26:50AM -0700, Vijayendra Bhamidipati wrote: > >> Hi Chip, Prasanna, > >> > >> Yes, the change is pretty straightforward, the reasoning is to make > >> default password encoding more secure because the SHA256salted > >> authenticator recently added by Hugo salts the passwords while the > >> existing MD5 authenticator doesn't, and is the default. This change gives > >> the CS admin the flexibility to choose the ordering of the > >> encoders/authenticators. No new authenticator/encoder classes needed to be > >> added, the existing ones are simply used better. > >> > >> Upgrade scenarios were considered and these changes will have no effect on > >> upgrades. Only new users and updated users will have their passwords > >> encoded by the first valid encoder in the UserPasswordEncoder list. > >> Existing users will still get authenticated as before since authentication > >> passes through all the authenticators available in the UserAuthenticator > >> list until one of them succeeds or all fail. > >> > >> Regards, > >> Vijay > > > > Does everyone believe that this is a valid change for 4.1? Or should we > > wait for 4.2 or 4.1.1? > > > > 4.2 > Review request is for master > Lets try an minimize change to 4.1 if at all possible. > > --David >
The bug was marked for 4.1, which was the confusion. I've changed the bug fix-version to 4.2. This can be reviewed by Hugo or Kelvin as requested by Vijayendra.
