[vlc-devel] [PATCH] keystore: always store to the memory keystore

Thomas Guillem thomas at gllm.fr
Tue Dec 15 16:54:21 CET 2020 


On Tue, Dec 15, 2020, at 16:42, Rémi Denis-Courmont wrote:
> Le mardi 15 décembre 2020, 17:01:37 EET Thomas Guillem a écrit :
> > On Tue, Dec 15, 2020, at 15:50, Rémi Denis-Courmont wrote:
> > > Le mardi 15 décembre 2020, 14:03:04 EET Thomas Guillem a écrit :
> > > > The memory keystore was never used if the system keystore was
> > > > 
> > > > functional. This caused several issue:
> > > >  - No caching of the system keystore (slower)
> > > >  - Guest account always tried in the first place on some access modules
> > > >  
> > > >    (mainly SMB ones).
> > > 
> > > Both of those alleged issues seem like intended behaviour, also not
> > > related, and with the later not a core concern.
> > 
> > And yet, it's very hard to fix the Guest connection issue inside a module.
> 
> Still, the core has zero notion of what is a guest account. That's a protocol-
> specific thing, and it does not seem like it should even involve account 
> management, since a guest account is a non-account.
> 
> Indeed, the password manager is not necessary for anonymous FTP login, or for 
> not using HTTP authentication.
> 
> > Indeed, requesting the system keystore can cause a user interaction (enter a
> > passphrase, pin, fingerprint), that is why it is requested after the second
> > try. So if the memory keystore is not used, you won't be able to get the
> > last saved credential on the first try.
> > 
> > As a result, when browsing smb2, you will always try to connect to the Guest
> > account first, then use the user one.
> > > And it's not clear from the description how cache maintenance (cleaning
> > > and
> > > invalidation) would work.
> > 
> > The memory keystore can't be cleared for now.
> 
> So don't use a cache.

I always stated when I wrote the credential/keystore API that accessing the system keystore may cause an user interaction.
Trying to use VLC's cache before prompting an UI seems a good idea to me.
That is the main goal of this patch.

> 
> > It's easy to implement but it needs a new UI and a libvlc API.
> 
> I don't think the user should have to learn about how and when to clear the 
> credential cache of an application, and the VLC GUI is plenty cluttered enough 
> as it is.
> 
> If you can't invalidate the cache, don't use a cache.

I don't think it's an issue. I forgot to mention the cache is invalidated automatically in case of login failure.

> 
> > When logging with gnome nautilus on network shares, it is not possible to
> > clear the cache
> 
> That sounds like a bug in GNOME and I don't want to copy GNOME bugs.

I don't think it's bug, they mention the condition "Until you log out". Like you said, adding a button to clear the cache might not be a good solution since it pollute the UI for a corner case.

> o
> -- 
> Rémi Denis-Courmont
> 
> 
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel

More information about the vlc-devel mailing list