From 9ed1f7d7f5d90d03f75fd3ba97cecd9861c63818 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Thu, 1 Feb 2018 16:17:52 +0200
Subject: Update: NEWS

---
 NEWS | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 9ab10b5..0a04d9a 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,19 @@ This file has release notes for Salami
 Version 0.7+git, not yet released
 ---------------------------------
 
+* Salami now expects client secrets to be stored hashed in the config
+  file, instead of as cleartext, as previously. This is obviously
+  better for security: previously, anyone who could read the config
+  file would get the secret directly. Now they have to brute-force
+  guess it by hashing all possibilities.
+
+  The hashing method attempts to make such brute-forcing harder by
+  using a carefully chosen hashing algorithm (scrypt), and using
+  salting to prevent rainbow tables. For each client, a random 16 byte
+  string is generated (by reading /dev/urandom) as the salt.
+
+* A new script `salami-hash` is included to generate the hashed client
+  secrets for the Salami config file.
 
 Version 0.7, released 2018-02-01
 ---------------------------------
-- 
cgit v1.2.1