[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] obscure password

From: HIROSHIMA Naoki <nh-svn_at_iron-horse.org>
Date: 2006-03-12 23:32:20 CET

Marcus Rueckert wrote:
> and base64 encode the password doesnt give you anything. most admins
> know how to decode base64. so in the end i agree with karl. there is no
> extra security gained.

Well, I never claim the patch improve security by any means. As I have
written in the first post, "I agree that while this way actually doesn't
improve current security, it might give people wrong impression".

My point is, obscure password is still better than plaintext one not
because it's more secure but because it's just nicer.

As a root of some servers, I am scared to be able to open user's file by
mistake or something. What if your grep command happens to match
someone's password in svn.simple/whatever? Of course, you as a reliable
root don't mean to do it but you don't want to happen to see someone's
password by even mistake, do you.

If it's encoded by even base64, you don't need to accidentally browse
someone's password.

Anyway, I am not saying this patch will make Subversion more secure. It
just makes svn command behave somewhat nicer IMHO. And I agree that the
"nicer" behavior might give a false sense of security to some people.

Thanks,
-- Hiroshima

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Mar 12 23:32:43 2006

This is an archived mail posted to the Subversion Dev mailing list.