1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
NEWS for Salami
=============================================================================
This file has release notes for Salami
Version 0.7+git, not yet released
---------------------------------
* Salami now expects client secrets to be stored hashed in the config
file, instead of as cleartext, as previously. This is obviously
better for security: previously, anyone who could read the config
file would get the secret directly. Now they have to brute-force
guess it by hashing all possibilities.
The hashing method attempts to make such brute-forcing harder by
using a carefully chosen hashing algorithm (scrypt), and using
salting to prevent rainbow tables. For each client, a random 16 byte
string is generated (by reading /dev/urandom) as the salt.
* A new script `salami-hash` is included to generate the hashed client
secrets for the Salami config file.
Version 0.7, released 2018-02-01
---------------------------------
* Add support for OAuth2 client credential grant. Do NOT use this yet.
The credential is stored in cleartext server-side.
* This release is made only to facilitate internal testing.
Version 0.6, released 2017-11-17
---------------------------------
* `start_salami` fixed to set the right environment variable to point
at the configuration file when starting Salami.
Version 0.5, released 2017-11-16
---------------------------------
* `start_salami` script can now start production or debugging
variants.
* Yarn scenario tests have been added.
Version 0.4, released 2017-11-15
---------------------------------
* Fixed `start_salami` to use the right log file for gunicorn3.
Version 0.3, released 2017-11-15
---------------------------------
Version 0.2, released 2017-11-14
---------------------------------
Version 0.1, released 2017-11-14
----------------------------------
First release.
|
