[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Obfuscate auth info

From: Alex Holst <a_at_mongers.org>
Date: 2006-10-18 23:57:40 CEST

Quoting Max Bowsher (maxb1@ukf.net):
> Alex Holst wrote:
> > I beg of you: Please don't introduce this obfuscation to auth data in
> > Subversion.
>
> Question: If you feel so strongly about it, are you also campaigning for
> the trivial obfuscation to be removed from CVS?

No. First, my customers don't use CVS, so I don't really care. Secondly,
I suspect it would be much harder to remove features introduced many
years ago in a dated scm tool than it would be to prevent the
introduction of questionable obfuscation features in a newer, modern scm
tool.

I also think a mistake made years ago shouldn't be made again.

I claim that, regardless of what warning might appear in the password
file, obfuscated auth data will result in many users/admins/managers
thinking it takes a lot of effort to recover their password. Anyone who
has ever dealt with users or managers knows I'm not kidding.

Which is greater? The cost of educating users who post to the mailing
list about clear text passwords or the very likely possibility that
a user will shoot themselves in the foot because they didn't feel a need
to investigate ssh keys, certs or kerberos auth?

-- 
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow.                http://a.mongers.org 
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Oct 18 23:58:00 2006

This is an archived mail posted to the Subversion Dev mailing list.