On 19 October 2010 10:18, Johan Corveleyn <jcorvel_at_gmail.com> wrote:
> On Tue, Oct 19, 2010 at 9:46 AM, Stephen Connolly
> <stephen.alan.connolly_at_gmail.com> wrote:
>> Exposing the feature would not in an of itself force the client to use
>> the keyring, but it would allow the server to have a start-commit hook
>> that blocked a commit if the user had plaintext password storage
> Just keep in mind that alerting users with start-commit hook only
> works for users that actually commit of course. You won't reach users
> that merely checkout/update/log/blame/...
true, but that assumes you require authentication to have read access.
we do not require authentication for read, only for write
> It might be a better solution to implement this check in a lower
> level, in the ra-protocols (naïvely, e.g. with http(s): client sends
> with every request a header announcing the way it stores its
> password). Of course, you'd like to do this without adding too much
> overhead (handshaking, ... for every tiny request that the client
> makes to the server). Maybe there is already some functionality
> present for protocol/feature negotiation, I don't know ...
> Just my 0.02€
I agree that this would be better!
Received on 2010-10-19 12:30:32 CEST