[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Feature Request: clients shouldn't store auth-creds

From: Michael W Thelen <mike_at_pietdepsi.com>
Date: 2005-01-04 19:07:10 CET

Ben Collins-Sussman wrote:
>> That's the kind of situation that it might be nice to avoid by
>> default, even if just by trivially scrambling the password.
>
> I've argued for a trivial scrambling in the past (like CVS does), but
> some folks are strongly against this, feeling that it will convey a
> false sense of security.

Oops, even after that whole anecdote, I forgot the point I was trying to
make. :-)

I would be in favor of a trivial scrambling of passwords, but I'm even
more in favor of not caching credentials by default. They're two
related but separate issues. The first thing that went wrong in my
story was forgetting to edit ~/.subversion/config, so passwords were
accidentally cached. The accidental nature of it bothers me more than
the plain text passwords. With credential caching off by default, at
least such accidents would be much less likely.

-- 
Michael W Thelen
It is a mistake to think you can solve any major problems just with
potatoes.       -- Douglas Adams

Received on Tue Jan 4 19:10:49 2005

This is an archived mail posted to the Subversion Dev mailing list.