Re: [PATCH] don't store plain-text passwords by default

On Mon, Apr 21, 2008 at 01:46:52AM +0200, Martin Furter wrote:
> This "don't store plain-text" patch will just annoy the users and everyone
> will go back to the old behaviour. Additionally those loud security people
> will continue complaining because the problem isn't solved.

One point I forgot:

You are not defining "the problem" which should be solved.

I don't know what problem you are thinking of exactly, but
this is the problem I want to solve with the branch I'm
working on (quoting myself from another mail in this thread):

  The goal is to make sure that as many people as possible are
  instantly made aware of how bad the current situation regarding
  password caching on Linux/*BSD really is the minute they start
  using Subversion, so they can act accordingly.
  
  The patch aims to help to achieve that particular goal, nothing else.

This description about the problem is in isolation from all the
new crypto stuff we're adding or planning to add, which will
change the "current" situation quite a bit. But the plaintext
case will not go away, so we need sane behaviour for it.

Thanks,

-- 
Stefan Sperling <stsp_at_elego.de>                    Software Monkey
 
German law requires the following banner :(
elego Software Solutions GmbH                            HRB 77719
Gustav-Meyer-Allee 25, Gebaeude 12        Tel:  +49 30 23 45 86 96 
13355 Berlin                              Fax:  +49 30 23 45 86 95
http://www.elego.de                               CEO: Olaf Wagner
 
Store password unencrypted (yes/no)? No