[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: proposal: config option to prevent password storage

From: Barry Scott <barry.alan.scott_at_ntlworld.com>
Date: 2002-09-21 12:46:37 CEST

I would put this more strongly. You must default to a policy
of being secure.

I do not trust myself or my users to remember to block this
security hole reliably.

I propose you change to --auth-cache to permit caching
and that the config defaults to store_password = no.

Having a deamon lke SSH uses to keep the ssh-keys would be a
nice middle way to keep the svn auth info only for the life of
a session.

Barry

> -----Original Message-----
> From: Kirby C. Bohling [mailto:kbohling@birddog.com]
> Sent: 20 September 2002 23:23
> To: Ben Collins-Sussman
> Cc: Robert Schiele; dev@subversion.tigris.org
> Subject: Re: proposal: config option to prevent password storage
>
>
> On Fri, 2002-09-20 at 17:25, Ben Collins-Sussman wrote:
> > Robert Schiele <rschiele@uni-mannheim.de> writes:
> >
> > > Hello,
> > >
> > > I would propose to add a config option that prevents storage of the
> > > password on the client side.
> > >
> > > Sometimes I want to checkout a copy of the repository on an unsecure
> > > site. This wouldn't be acceptable if the client stored my password on
> > > the disk.
> >
> > Already done. Try passing --no-auth-cache to any svn command.
>
> Any way to stick that into "Always on"? It'd be one of those things I'd
> forget to add at an insecure site. I'd be much happier if I had to
> remember to run it on, especially, because I'd only have to do it once
> to get it cached, and it'd beat me over the head until I remember to get
> it cached....
>
> Thanks,
> Kirby
>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: dev-help@subversion.tigris.org
> >
> --
> Real Programmers view electronic multimedia files with a hex editor.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Sep 21 12:47:20 2002

This is an archived mail posted to the Subversion Dev mailing list.