The makefile has three new targets:
1. hosting: Publish repository and automagically build the archives to
serve to clients.
2. current-checkout.tar.gz: Create an archive of the current project
directory.
3. current-repository.tar.gz: Create an archive of the current project
directory along with the source repository metadata so that the
archive is a full checkout of the project.
Give the same error if the username doesn't exist or if the password
is wrong. If we deliver separate errors, we tell the attacker whether
they've picked a valid password or not.
Also, if username doesn't exist, hash the password anyway to avoid
this timing side-channel attack:
1. Invalid Username:
A. User tries to log in with invalid username.
B. User name is not found in database.
C. Password is never hashed.
2. Invalid Password:
A. User tries to log in with valid username.
B. User name is found in database.
C. Password is hashed.
Given that proper password hashing will take a minute, *not* hashing
the password takes so much less time that we've effectively indicated
to the attacker that the username didn't exist, regardless of the
error message. This way, no such error occurs.
* adjust template to remove nav and top menu for first boot
* base on login_nav.tmpl
* add login and nav to template
* no need for two_cols, don't populate nav unless one exists
* change to u. notation for util, since from foo import * is evil
* make import vendor.foo possible
* vendor dir is part of the repo now, no need to mkdir
* use the vendor.foo notation
* Read python.config from script dir
* Make dirs for pid and run
Maybe making DESTDIR/var/run during make install is not needed because
we can expect the target system to have /var/run, but if it's missing
the CherryPy engine will fail when it tries to write the pid. So I
added it.
* Remove commented out git pull lines. We shouldn't update so automatically.
* Use rsync because it gives us --exclude
* Put docs where the webserver can find them
