Quote from: lachesis on July 23, 2010, 18:22:08
The password definitely shouldn’t be required.I strongly disagree; software should be secure by default, and running bitcoind without a password (or bitcoin -server) is definitely NOT secure.
I just don’t see somebody saying “Man, Bitcoin sucks because I have to add a password to a configuration file before running it as a daemon.” I can see somebody saying “Man, Bitcoin sucks because I accidently ran it with the -server switch and somebody stole all my money.”
I don’t think authentication should be disabled by default if there’s no conf file or the config file doesn’t contain “rpcpassword”, but what if it contains “rpcpassword=”?
I can see both points.
What if the programmer can’t figure out how to do HTTP authentication in their language (Fortran or whatever) or it’s not even supported by their JSON-RPC library? Should they be able to explicitly disable the password requirement?
OTOH, what if there’s a template conf file, with
rpcpassword= # fill in a password here
There are many systems that don’t allow you to log in without a password. This forum, for instance. Gavin’s point seems stronger.
BTW, I haven’t tested it, but I hope having rpcpassword= in the conf file is valid. It’s only if you use -server or -daemon or bitcoind that it should fail with a warning. If it doesn’t need the password, it should be fine. Is that right?
70,777 total views, 70 views today
https://bitcointalk.org/index.php?topic=461.msg5383#msg5383