Re: subversion reveals passwords

From: Erik Huelsmann <ehuels_at_gmail.com>
Date: Sun, 6 Apr 2008 21:39:04 +0200

> The security model chosen for subversion is based on the (wrong)
> assumptions that the passwords
> are used for the subversion repository only and that the attacker is
> only a wiretapping attacker, without
> access to the machine. Although I agree that this threat model applies
> to common open source applications
> with a central server and many independant developers on the world with
> lower security requirements,
> it does not hold for company networks where the subversion repository is
> covered by a HTTPS webserver
> authenticating against a company LDAP server.

But if you do that anyway, why not use a Subversion client which uses
SSPI authentication and doesn't need to store the password anyway?

Bye,

Erik.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-06 21:39:17 CEST

This message: [ Message body ]
Next message: Hadmut Danisch: "Re: subversion reveals passwords"
Previous message: Hadmut Danisch: "Re: subversion reveals passwords"
In reply to: Hadmut Danisch: "Re: subversion reveals passwords"
Next in thread: Hadmut Danisch: "Re: subversion reveals passwords"
Reply: Hadmut Danisch: "Re: subversion reveals passwords"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]