HIROSHIMA Naoki <nh-svn@iron-horse.org> writes:
> Since I have never been using Subversion with anything other than
> svn+ssh, it has never been any issue to me. But when I started using
> https recently, I realized that my password was stored in cleartext in
> ~/.subversion/auth/svn.simple/whatever. Not so great.
>
> Then, I have googled the archives but couldn't find any patch or plan to
> solve it. So, I wrote a silly patch as below that makes a password
> somewhat obscure using base64.
>
> Maybe Subversion guys are so perfectionist that this kind of hack is
> just not wanted at all. I agree that while this way actually doesn't
> improve current security, it might give people wrong impression.
>
> But I believe this silly hack is still better than nothing until proper
> ways will be implemented by someone in the future.
Thanks for the patch. This topic has come up before, as you might
imagine, and we've decided not to obscure the password, because it
might give a false sense of security (the directory's permissions
protect the password, of course).
There's nothing hacky about your solution, and "perfectionism" doesn't
really enter into it. It's just that we don't want to appear to be
giving more security than we actually do.
-Karl
--
www.collab.net <> CollabNet | Distributed Development On Demand
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Mar 12 21:51:11 2006