[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] don't store plain-text passwords by default

From: Branko ─îibej <brane_at_xbc.nu>
Date: Fri, 18 Apr 2008 21:43:25 +0200

Justin Erenkrantz wrote:
> On Fri, Apr 18, 2008 at 9:29 AM, Mark Reibert <svn_at_reibert.com> wrote:
>
>> >From an outsider's perspective, changing the default to not store the
>> passwords seems like a bit of a six in one, half dozen in the other
>> proposition. While I appreciate Karl's position that user's may think
>> about what they are doing more, I think Greg's comment that it "won't
>> change any realities" is likely very true.
>>
>> As soon as this patch gets implemented I will tell svn to store my
>> passwords. I suspect I am not in the minority in this.
>>
>
> Yup - this is why, IMO, we should be advocating *truly* secure
> mechanisms and not faux security.

Doesn't that sort of imply not storing plaintext passwords at all?
Personally that wouldn't worry me one bit; most of our users probably
don't use one of the "afflicted" systems, after all.

> If we make too big a deal out of
> this - given that Mac OS X and Windows users aren't affected,

Ehm, AFAIK we're still royally borked on all systems when it comes to
storing certs and/or cert passwords?

> it'll
> just confuse folks even more. If, say, Ubuntu comes with
> gnome-keyring (dunno - prolly), then I'm willing to bet the clear
> majority of users are already using acceptable security mechanisms.
> -- justin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
> For additional commands, e-mail: dev-help_at_subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-18 21:44:00 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.