[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] default to --no-auth-cache

From: Justin Erenkrantz <jerenkrantz_at_apache.org>
Date: 2003-01-13 22:15:59 CET

--On Monday, January 13, 2003 14:06:48 -0600 "B. W. Fitzpatrick"
<fitz@red-bean.com> wrote:

> I'd like to +1 this patch. If we don't switch the password caching
> behavior to off by default, we're going to wind up getting a BUGTRAQ
> nastygram, a truckload of bad press, and then have to turn it off by
> default anyway.

Sorry, but I disagree. CVS stores its passwords in ~/.cvspass using simple
base-64 encoding. This is no less of a security hole than it was in CVS.
The only difference is that it is stored in the working copy, not in your
home directory. Perhaps we should move the passwords to being in your
~/.subversion directory. (Although I think there are reasons not to move
it there though.)

If you use ra_svn with SSH tunneling, you have the same effect as CVS with
SSH tunneling - no passwords are stored locally.

I believe that this change is only going to result in frustrated users and
make it harder to use SVN out of the box. Everyone *wants* password
caching - security risk or not. -- justin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jan 13 22:16:50 2003

This is an archived mail posted to the Subversion Dev mailing list.