On Thu, Jun 05, 2008 at 05:35:20PM +0200, Marc Schoechlin wrote:
> >From my point of view storing of passwords per default is not a good idea because:
>
> * unix systems are often shared environments
> (subversion cleartext passwords can be abused on other services
> with the same passwords)
> * new subversion users do not expect that their password is stored
> in readable format in the filesystem
This is also true for experienced users such as me! I always used
svn+ssh connections (isn't this the best protocol?) but got recently
access to Subversions repository which uses http protocol. I committed
a minor change today and svn didn't asked me for my password. This really
confused me and I immediately deleted ~/.subversion/auth/svn.simple/*
where I found my password in cleartext!
> * system administrators cannot be sure that their users donīt forget
> * to disable password storing by executing:
> ---
> svn info && echo 'store-passwords = no' >> ~/.subversion/config
Thanks for this hint. Still wonder about the "svn info" ...
> ---
> => this is especially important if you use subversion on shared
> accounts like "root" (for system administration purposes)
> * itīs a good idea to make "more secure" settings to be default
>
> Therefore i think it is a good idea to disable password storing as
> default or to prompt the user for storing passwords.
>
> What do you think about this ?
I agree!
Jens
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-05 18:04:30 CEST