[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Feature Request: clients shouldn't store auth-creds

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: 2005-01-04 08:18:24 CET

On Mon, 2005-01-03 at 18:54, Tobias Ringström wrote:
> No, you run "cvs login" which has to store the password for obvious
> reasons. But it's an irrelevant comparison, because CVS passwords are
> not used over the Internet which is where security matters most. See below.

(1) The Subversion project used CVS passwords over the Internet, when we
used CVS. Lots of other projects do too.

(2) The safety of the password over the net is totally orthogonal to the
safety of the password as stored on the client (or server). We already
have a decent story there.

> No, the password is scrambled which is of course not secure, but it does
> provide glance-over-shoulder "security".

Essentially worthless, since there's no need to look at the client
password file.

> Nobody uses CVS passwords because it is so insecure. Instead, most
> people run CVS via ssh which does not store passwords. It's not a fair
> comparison.

But you can use svn over ssh too. It's almost exactly the same story,
and it's a perfectly fair comparison.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jan 4 08:19:39 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.