index aa5ab850556f8f9d6167be86a6048ebf1973d09f..6b9d05a7a2d8a0174c6df089b7b6c45629c49c67 100644 (file)
--- a/roundup/configuration.py
+++ b/roundup/configuration.py
(IntegerNumberOption, 'password_pbkdf2_default_rounds', '10000',
"Sets the default number of rounds used when encoding passwords\n"
"using the PBKDF2 scheme. Set this to a higher value on faster\n"
- "systems which want more security."),
+ "systems which want more security.\n"
+ "PBKDF2 (Password-Based Key Derivation Function) is a\n"
+ "password hashing mechanism that derives hash from the\n"
+ "password and a random salt. For authentication this process\n"
+ "is repeated with the same salt as in the stored hash.\n"
+ "If both hashes match, the authentication succeeds.\n"
+ "PBKDF2 supports a variable 'rounds' parameter which varies\n"
+ "the time-cost of calculating the hash - doubling the number\n"
+ "of rounds doubles the cpu time required to calculate it. The\n"
+ "purpose of this is to periodically adjust the rounds as CPUs\n"
+ "become faster. The currently enforced minimum number of\n"
+ "rounds is 1000.\n"
+ "See: http://en.wikipedia.org/wiki/PBKDF2 and RFC2898"),
)),
("tracker", (
(Option, "name", "Roundup issue tracker",
), "Roundup Mail Gateway options"),
("pgp", (
(BooleanOption, "enable", "no",
- "Enable PGP processing. Requires pyme."),
+ "Enable PGP processing. Requires pyme. If you're planning\n"
+ "to send encrypted PGP mail to the tracker, you should also\n"
+ "enable the encrypt-option below, otherwise mail received\n"
+ "encrypted might be sent unencrypted to another user."),
(NullableOption, "roles", "",
"If specified, a comma-separated list of roles to perform\n"
"PGP processing on. If not specified, it happens for all\n"
- "users."),
+ "users. Note that received PGP messages (signed and/or\n"
+ "encrypted) will be processed with PGP even if the user\n"
+ "doesn't have one of the PGP roles, you can use this to make\n"
+ "PGP processing completely optional by defining a role here\n"
+ "and not assigning any users to that role."),
(NullableOption, "homedir", "",
"Location of PGP directory. Defaults to $HOME/.gnupg if\n"
"not specified."),
+ (BooleanOption, "encrypt", "no",
+ "Enable PGP encryption. All outgoing mails are encrypted.\n"
+ "This requires that keys for all users (with one of the gpg\n"
+ "roles above or all users if empty) are available. Note that\n"
+ "it makes sense to educate users to also send mails encrypted\n"
+ "to the tracker, to enforce this, set 'require_incoming'\n"
+ "option below (but see the note)."),
+ (Option, "require_incoming", "signed",
+ "Require that pgp messages received by roundup are either\n"
+ "'signed', 'encrypted' or 'both'. If encryption is required\n"
+ "we do not return the message (in clear) to the user but just\n"
+ "send an informational message that the message was rejected.\n"
+ "Note that this still presents known-plaintext to an attacker\n"
+ "when the users sends the mail a second time with encryption\n"
+ "turned on."),
), "OpenPGP mail processing options"),
("nosy", (
(RunDetectorOption, "messages_to_author", "no",