Re: subversion reveals passwords

From: Stefan Sperling <stsp_at_elego.de>
Date: Mon, 7 Apr 2008 14:15:18 +0200

Hadmut,

I forgot to Cc you when I sent the mail below.

Did you get this mail? What do you think of this proposal?

What do others think?

On Sun, Apr 06, 2008 at 11:32:03PM +0200, Stefan Sperling wrote:
> On Sun, Apr 06, 2008 at 04:55:36PM -0400, Karl Fogel wrote:
> > "Erik Huelsmann" <ehuels_at_gmail.com> writes:
> > > Well, there's a big chance of me being perceivede as rude after my
> > > next statement, but this has been discussed *many* times before.
> > >
> > > The choice to store passwords in plain text has been a very conscious
> > > decision; it has also been replaced by more appropriate storage
> > > mechanisms on platforms which support that (Keychain on OSX,
> > > Crypto-API on Windows). Unfortunately, Linux doesn't feature a
> > > *standardized* crypto-agent. We don't need people lecturing us what's
> > > secure and what's not: we need people implementing secure storage
> > > mechanisms or patches to Subversion to support these mechanisms.
> >
> > Basically agree with your sentiment, but:
> >
> > We could switch to a default of not storing plaintext passwords, if we
> >
> > 1) Had a run-time option ('--store-password' or something) that
> > causes it to be stored permanently for that working copy, and
> >
> > 2) Had a config option to turn on password-storing as a default
>
> +1
>
> I'd rather post a patch than simply agree though.
>
> I'm interested in changing this since I've been thinking that
> Subversion should default to not storing the password in clear
> text since I found out it does. Maybe I'll find time some day :)
>
> I think we should default to not storing on platforms where we
> don't have a better option than clear text, and default to storing
> the password on those that do. This might confuse people who expect
> Subversion to behave consistently across platforms, but other than
> that it's the best of both worlds.
>
> --
> stefan
> http://stsp.name PGP Key: 0xF59D25F0

-- 
Stefan Sperling <stsp_at_elego.de>                 Software Developer
elego Software Solutions GmbH                            HRB 77719
Gustav-Meyer-Allee 25, Gebaeude 12        Tel:  +49 30 23 45 86 96 
13355 Berlin                              Fax:  +49 30 23 45 86 95
http://www.elego.de                 Geschaeftsfuehrer: Olaf Wagner

application/pgp-signature attachment: stored

Received on 2008-04-07 14:14:00 CEST

This message: [ Message body ]
Next message: Karl Fogel: "Re: Subversion 1.5 issues blocking RC1"
Previous message: Mark Phippard: "Re: Subversion 1.5 issues blocking RC1"
In reply to: Stefan Sperling: "Re: subversion reveals passwords"
Next in thread: Hadmut Danisch: "Re: subversion reveals passwords"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]