[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Writing svn-agent (Was Re: [PATCH] default to --no-auth-cache)

From: Karl Fogel <kfogel_at_newton.ch.collab.net>
Date: 2003-01-14 23:05:29 CET

<rbb@rkbloom.net> writes:
> Well, how are your friends who can't get ssh-agent working using ssh? Do
> they have passphrases in their keys? If so, then they are typing their
> passwords all the time.

No, they just type their regular passwords, which are much shorter.
But that's comparing apples and oranges, I don't think it's relevant
to this discussion. (Among other things, we shouldn't be paying the
same price to protect svn passwords as to protect login passwords,
because they're not as valuable as login passwords.)

> If not, then svn-agent will work the same way as ssh-agent.
>
> The only place that svn-agent doesn't replace auth caching, is if you
> aren't using client-side certs, and you don't have svn-agent running.
> If we can make svn-agent easy to use though, this case will go away.

Sure, I understand the advantages of an agent. But still, my question
is: "What's our win here?" I don't see much of a security gain, and I
do see a convenience loss (both for users and for code developers).

There is no way we can make it as easy to use as straight disk
caching. We can do our best, but it will *always* be more error
prone, because it's got more surfaces.

Obviously, you can work on what you want, and I don't think the agent
is a bad idea. It's just not a solution to our current auth problems,
IMHO.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jan 14 23:51:23 2003

This is an archived mail posted to the Subversion Dev mailing list.