Re: Feature Request: clients shouldn't store auth-creds

Ben Collins-Sussman wrote:

> On Jan 3, 2005, at 5:03 PM, Tobias Ringström wrote:
>
>> Subversion is pretty unique in that it stores passwords by default.
>
> Doesn't CVS do this?

No, you run "cvs login" which has to store the password for obvious
reasons. But it's an irrelevant comparison, because CVS passwords are
not used over the Internet which is where security matters most. See below.

>> On top of that, it also stores them in plain text,
>
> Doesn't CVS do this?

No, the password is scrambled which is of course not secure, but it does
provide glance-over-shoulder "security".

> I'm not saying that CVS doing something means it's a Good Thing. :-)

Certainly not. :-)

> I'm guessing, though, that not many people are surprised by this
> particular behavior, because CVS does it. Notice that this is the
> first time we've heard complaints about "caching by default".

Nobody uses CVS passwords because it is so insecure. Instead, most
people run CVS via ssh which does not store passwords. It's not a fair
comparison.

/Tobias

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jan 4 00:55:19 2005