[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: the report from PyCon

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: 2006-03-02 19:04:04 CET

On Mon, 2006-02-27 at 19:37 -0600, Ben Collins-Sussman wrote:
> * He heavily
> recommends we take a look at it, that it's much better than
> svnserve's CRAM-MD5.

The cram-md5 code is there because it's (1) implementable in a very
small amount of code, and (2) a defined SASL mechanism. I have no
illusions that it has good authentication properties, except that an
attacker listening to the network would have a very difficult time
recovering the password.

I don't want to see us adding more original authentication code to
svnserve, particularly if it's not a defined SASL mechanism. Instead, I
want someone to write code to link ra_svn and svnserve against a SASL
library which will do all this work for us. We know there are some
issues there, and it's not an easy bit of glue to write, but more
homegrown crypto does not seem like the answer.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Mar 2 19:05:42 2006

This is an archived mail posted to the Subversion Dev mailing list.