[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: subversion reveals passwords

From: Erik Huelsmann <ehuels_at_gmail.com>
Date: Sun, 6 Apr 2008 21:39:04 +0200

> The security model chosen for subversion is based on the (wrong)
> assumptions that the passwords
> are used for the subversion repository only and that the attacker is
> only a wiretapping attacker, without
> access to the machine. Although I agree that this threat model applies
> to common open source applications
> with a central server and many independant developers on the world with
> lower security requirements,
> it does not hold for company networks where the subversion repository is
> covered by a HTTPS webserver
> authenticating against a company LDAP server.

But if you do that anyway, why not use a Subversion client which uses
SSPI authentication and doesn't need to store the password anyway?



To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-06 21:39:17 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.