Re: SV: Re: SV: Re: SV: Re: Integration with Bugtracking Systems / Issue trackers

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: 2006-08-25 13:36:17 CEST

sverhagen@wps-nl.com wrote:

> Agreed. The security is an issue I did not address. How about asking the
> user on first use if he/she agrees on running the file or opening the web
> page?
> If we would be asking this kind of confirmation, does Tortoise have a
> system in place for persisting such user preferences?

You'd have to store the answer somewhere in a 'safe' place. Maybe the
registry under HKCU (so each user can decide whether to run it or not).

> Are all the properties persisted server-side, otherwise this one would
> possibly be a candidate not to be, based on these security concerns.

Properties are all stored on the server (and of course mirrored in the
working copy).

>> Where do you want to get the username and password from? Yes,
>> Subversion stores them if you ask it to, but there's no way to
>> find the right one without contacting the repository first -
>> and that's something I won't allow in the commit dialog.
>
> Does this mean I won't have the password available every time, or just when
> a user did not yet previously save the password in Tortoise?
> If that's the case I'll be forced to have my companion software to store
> its own password settings.

I'd say you don't have username/password available at all. Even when
Subversion has stored those locally, there's no reliable way to find it
without contacting the repository first.
Because Subversion stores those in a file, with the filename being a
hash of the authentication realm string (e.g.
"<http://tortoisesvn.tigris.org:80> CollabNet Subversion Repository").
And you can't find that string without contacting the repository and
actually asking for access.

> How is it the case, like you say, that Subversion stores the password?
> Isn't it Tortoise? Because I am not actively running any client software
> from Subversion (apart from Tortoise, I mean).

It's Subversion doing the authentication and also the saving of them (if
asked to). Because Subversion has the network layers, not TortoiseSVN.

> Did you think about any possible additional escape characters?

You lost me here. What would escape chars be used for?

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org

Received on Fri Aug 25 13:36:35 2006

This message: [ Message body ]
Next message: Stefan Küng: "Re: Tortoise SVN Worldwide Usage"
Previous message: sverhagen_at_wps-nl.com: "Re: Tortoise SVN Worldwide Usage"
In reply to: sverhagen_at_wps-nl.com: "Re: SV: Re: SV: Re: SV: Re: Integration with Bugtracking Systems / Issue trackers"
Next in thread: sverhagen_at_wps-nl.com: "Re: SV: Re: SV: Re: SV: Re: Integration with Bugtracking Systems / Issue trackers"
Reply: sverhagen_at_wps-nl.com: "Re: SV: Re: SV: Re: SV: Re: Integration with Bugtracking Systems / Issue trackers"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]