[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] don't store plain-text passwords by default

From: Stefan Sperling <stsp_at_elego.de>
Date: Thu, 17 Apr 2008 17:03:12 +0200

On Thu, Apr 17, 2008 at 02:22:28PM +0200, Stefan Sperling wrote:
> On Wed, Apr 16, 2008 at 04:28:52PM -0400, Karl Fogel wrote:
> > If there is a config option for remembering passwords by default, then
> > there needs to be a command-line option to not remember (use case: user
> > feels that most repository passwords are not sensitive, but this one
> > repository she's checking out today *is* sensitive, or the password
> > she's using for it is shared with something else, or whatever).
>
> Isn't that what --no-auth-cache is for?

Answering to myself:

Well, sort of. --no-auth-cache would also supress storing of
server certificates, though. So a new option would be nice, BUT:

Karl,

while I agree that your use case is likely to occur, I think adding
another command-line option is not the way to solve this. Because this
would mean that something like --dont-remember-plaintext-passwords
would have to be passed to *every* invocation of svn, to make sure
"store-plaintext-passwords = yes" in the config file is overridden
at all times. I don't think people will want to do that.

What might be a better idea (courtesy of Mark Phippard) is allowing
users to also specify "store-plaintext-passwords = yes" on a per-server
basis in ~/.subversion/servers. The same setting in
~/.subversion/config would apply to all servers automatically though.

Do you agree?

And by the way, I've put this patch + a few fixes on a branch now,
so we can add further improvements there without disturbing trunk:
https://svn.collab.net/repos/svn/branches/dont-save-plaintext-passwords-by-default/

-- 
Stefan Sperling <stsp_at_elego.de>                 Software Developer
elego Software Solutions GmbH                            HRB 77719
Gustav-Meyer-Allee 25, Gebaeude 12        Tel:  +49 30 23 45 86 96 
13355 Berlin                              Fax:  +49 30 23 45 86 95
http://www.elego.de                 Geschaeftsfuehrer: Olaf Wagner

  • application/pgp-signature attachment: stored
Received on 2008-04-17 17:03:36 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.