[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Re: [PATCH] Obfuscate auth info

From: Scott Miller <Scott.Miller_at_prioritytech.com>
Date: 2006-10-19 16:51:18 CEST

I've been reading this thread with mostly disengaged interest. I really
don't care one way or the other whether the patch gets applied. Why am I
reading it? I was involved with a similar "discussion" involving another
product about a year and a half ago.

It seems to me that this type of issue gets polarized to the point where
good, productive discussions become difficult. You've got one side
saying that "yes, we admit this isn't secure, but it really doesn't hurt
anything, and it makes some people happy." And the other side saying
"People are stupid, obnoxious and daft <apologies to MP>, and once you
give them this non-secure option, they won't pursue real security."

To me, the answer is "Yes, both points are exactly correct." But, the
fact is, it is up to the individuals to make those types of choices. If
an individual or corporation decides that it is willing to take the risk
of using non-secure, but obfuscated password storage, who are we to tell
them that is an unacceptable decision? Engineering is all about
compromises between getting something done and safety/security. Version
Control Systems are simply a tool. Each user/corporation that uses this
tool should be given the choice of what risks they are willing to
accept. Those that choose better (it will never be perfect) security,
will be willing to go through a lot of pain to ensure the security is
very good. Those that make the decision that this particular risk is
low enough that they don't want to go through that pain, should not be
forced to do so.

Give people options, do your best to educate them; then allow them to
make the choices they want to make. If they make stupid decisions, it is
their fault, not yours.

-Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Oct 19 16:51:44 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.