[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: request : disable storeing of passwords as default

From: Jens Seidel <jensseidel_at_users.sourceforge.net>
Date: Thu, 5 Jun 2008 18:01:11 +0200

On Thu, Jun 05, 2008 at 05:35:20PM +0200, Marc Schoechlin wrote:
> >From my point of view storing of passwords per default is not a good idea because:
> * unix systems are often shared environments
> (subversion cleartext passwords can be abused on other services
> with the same passwords)
> * new subversion users do not expect that their password is stored
> in readable format in the filesystem

This is also true for experienced users such as me! I always used
svn+ssh connections (isn't this the best protocol?) but got recently
access to Subversions repository which uses http protocol. I committed
a minor change today and svn didn't asked me for my password. This really
confused me and I immediately deleted ~/.subversion/auth/svn.simple/*
where I found my password in cleartext!

> * system administrators cannot be sure that their users donīt forget
> * to disable password storing by executing:
> ---
> svn info && echo 'store-passwords = no' >> ~/.subversion/config

Thanks for this hint. Still wonder about the "svn info" ...

> ---
> => this is especially important if you use subversion on shared
> accounts like "root" (for system administration purposes)
> * itīs a good idea to make "more secure" settings to be default
> Therefore i think it is a good idea to disable password storing as
> default or to prompt the user for storing passwords.
> What do you think about this ?

I agree!


To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-05 18:04:30 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.