On Sun, Apr 6, 2008 at 10:24 PM, Hadmut Danisch <hadmut_at_danisch.de> wrote:
> Erik Huelsmann wrote:
> >
> > But if you do that anyway, why not use a Subversion client which uses
> > SSPI authentication and doesn't need to store the password anyway?
> >
> >
>
> As far as I know this is a Microsoft-specific protocol.
>
> I am talking about Linux clients.
>
>
>
> BTW: That sort of 'if there's a workaround it ain't broken' is not
> recommendable in the security area.
Well, there's a big chance of me being perceivede as rude after my
next statement, but this has been discussed *many* times before.
The choice to store passwords in plain text has been a very conscious
decision; it has also been replaced by more appropriate storage
mechanisms on platforms which support that (Keychain on OSX,
Crypto-API on Windows). Unfortunately, Linux doesn't feature a
*standardized* crypto-agent. We don't need people lecturing us what's
secure and what's not: we need people implementing secure storage
mechanisms or patches to Subversion to support these mechanisms.
Erik.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-06 22:38:55 CEST