Wine Wiki needs your help!

[Kyle Auble]

On Wed, Jan 16, 2013 at 12:19 AM, Juan Lang wrote:
> Could the password hashes be excluded from the regular tarball? E.g. using --exclude in the tar command?

Sorry I didn't reply sooner, been a little busy the past week. I don't have a
copy of the Wine Wiki data in front of me, but if I remember, the passwords
aren't stored separately at the file level. Each user has a data file (and at
least for v1.5, a .trail and possibly a .bookmark file).

The password is stored as a single record in that file. I'm no security
expert, but my gut feeling is that separating the password data by default
might be a good change upstream. Short of that though, I fiddled with reading
off each password, running it through bcrypt, then putting it back into place
before packing up the files.

It probably wouldn't be too hard to sift out the passwords before archiving
the user directory. Ultimately, it seemed just keeping the user directory out
of the open was the best bet though. My logic was that while there are several
reasons someone might want to "fork" or independently archive the content
(which is LGPL), I couldn't think of a legitimate reason someone would want
everyone's account info without cooperating with the current maintainers.

-Kyle