Tonight, I did something wrong. I updated nearly 50% of the users password to access your Subversion repositories with the wrong password. Oups. So let me explain a bit how this Subversion password works and why such error.
As you know, your subversion password is not the same as your standard password, but it is derived from your salted/hashed password and the secret key of your forge. The problem in the update was coming from the secret key of your forge.
The secret key of your forge is a very long string used to perform hash control of a lot of elements in your forge. There is a unique secret key for each forge. The secret key, in the hosted forge setup, is composed of two parts: a baseline key and a unique per forge key. The resulting key is just the concatenation of both keys.
The Subversion password is composed of the first 8 characters of the sha1 hash of your salted/hashed password and the secret key:
substr(sha1($password.$secret_key), 0, 8);
So, now you know how one create your Subversion password.
Indefero is composed of two parts, the public website where you can create a new forge or upgrade your forge. This part has its own secret key. The hosted forges themselves, they have a baseline key + a unique key for each forge.
Now, when I upgraded the access right information tonight, I ran the upgrade script in the context of the public website to get the list of all the forges, then for each forge, I switched to what I called the ''forge context'' to perform the upgrade. But the baseline key was set to use the secret key of the public website as I used the public website configuration file. This is why all the accounts which were touched had their password regenerated with the wrong secret key, preventing you to access your forge. Please accept my sincere apologizes for this error.
Here is what I have setup to prevent such problem in the future:
- Automatic regular test update/commit/checkout against a test repository.
- Skeleton scripts to perform the maintenance with correct configuration.