[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Passwords, Security, and Performance

From: Branko ─îibej <brane_at_xbc.nu>
Date: Sun, 02 Nov 2008 20:26:15 +0100

Mark Mielke wrote:
> The Windows security model for Subversion satisfies me from a security
> perspective. If a patch to support "in memory" key rings for GNOME
> keyring were to be proposed for Subversion 1.6 and it was small, would
> anybody here have objections to the patch on principle?

Not in principle, but I'm confused. Why would you like to use in-memory
password store on Linux, but are satisfied with the way we store
encrypted passwords to disk on Windows?

[...]
> This sort of problem is often solved from the webpage using "cookies".
> Instead of sending the user + password with each request, a cookie is
> sent back to the client, and the client will send the cookie with
> future requests. The cookie is a standard fixed life time data
> structure that allows server side state to be maintained providing the
> appearance of a "session" to the user. If they logged in 10 minutes
> ago from the same environment, why should they need to login again?

Your definition of "security" must be somewhat different from mine if
you propose to replace per-request authentication with cookies, which
are notoriously susceptible to replay attacks.

[...]
> what level of technology does the US government believe the user
> should be allowed to see?).

You'll have to explain a bit more why you think this community should
cater to corporate interests that find it beneficial to indulge in
big-brother policies according to whatever is the whim-of-the-day of
some government that has no jurisdiction in most places where Subversion
is used. If someone wants such a feature, they can damn well pay premium
consulting fees for a customized Subversion server and keep this
version-control project blissfully ignorant of local politics that do
not concern the rest of us.

-- Brane

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-11-02 20:26:31 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.