Mark Phippard wrote:
>>> We need to be very clear that we're _not doing access control_ here,
>>> so those looking for guaranteed protection from malicious users
>>> shouldn't rely on this facility for it. What we're doing is providing
>>> a nicety that'll keep 99% of the user base from shooting themselves in
>>> the foot, regardless of the fact that we're providing no real
>>> security.
>> Good point. But I wasn't even really thinking about this in a security context,
>> just a capability context. Do we want to conflate the two?
>>
>> Also, should we open a ticket with a 1.5 milestone for this?
>
> If we advertise a way to block clients based on version, and people
> can get around it, some people will accept this and others will see it
> as a problem. I think Dan is just saying if we add something like
> this we probably need to be careful in how we describe it to make it
> clear.
OK. But one way to get people to see it as a problem is to put the word
security in there. It's not really a security issue any way, as least in my
mind, it's more of a data completeness issue, after all, we're not stopping
people from using 1.4 clients against a 1.5 server.
Blair
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Oct 23 23:20:01 2007