On Wed, Jan 16, 2013 at 12:19 AM, Juan Lang wrote:
Could the password hashes be excluded from the regular tarball? E.g. using --exclude in the tar command?
Sorry I didn't reply sooner, been a little busy the past week. I don't have a copy of the Wine Wiki data in front of me, but if I remember, the passwords aren't stored separately at the file level. Each user has a data file (and at least for v1.5, a .trail and possibly a .bookmark file).
The password is stored as a single record in that file. I'm no security expert, but my gut feeling is that separating the password data by default might be a good change upstream. Short of that though, I fiddled with reading off each password, running it through bcrypt, then putting it back into place before packing up the files.
It probably wouldn't be too hard to sift out the passwords before archiving the user directory. Ultimately, it seemed just keeping the user directory out of the open was the best bet though. My logic was that while there are several reasons someone might want to "fork" or independently archive the content (which is LGPL), I couldn't think of a legitimate reason someone would want everyone's account info without cooperating with the current maintainers.
-Kyle