[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: subversion reveals passwords

From: Erik Huelsmann <ehuels_at_gmail.com>
Date: Sun, 6 Apr 2008 22:38:39 +0200

On Sun, Apr 6, 2008 at 10:24 PM, Hadmut Danisch <hadmut_at_danisch.de> wrote:
> Erik Huelsmann wrote:
> >
> > But if you do that anyway, why not use a Subversion client which uses
> > SSPI authentication and doesn't need to store the password anyway?
> >
> >
> As far as I know this is a Microsoft-specific protocol.
> I am talking about Linux clients.
> BTW: That sort of 'if there's a workaround it ain't broken' is not
> recommendable in the security area.

Well, there's a big chance of me being perceivede as rude after my
next statement, but this has been discussed *many* times before.

The choice to store passwords in plain text has been a very conscious
decision; it has also been replaced by more appropriate storage
mechanisms on platforms which support that (Keychain on OSX,
Crypto-API on Windows). Unfortunately, Linux doesn't feature a
*standardized* crypto-agent. We don't need people lecturing us what's
secure and what's not: we need people implementing secure storage
mechanisms or patches to Subversion to support these mechanisms.


To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-06 22:38:55 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.