[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Passwords, Security, and Performance

From: Mark Mielke <mark_at_mark.mielke.cc>
Date: Sun, 02 Nov 2008 15:26:20 -0500

Mark Eichin wrote:
> Not to minimize your analysis, but wouldn't any place that takes
> passwords seriously use svn+ssh instead, such that the server never
> sees them (ie. *real* single signon, with Kerberos for example...) and
> to properly delegate security concerns to the people who truly obsess
> over them?

It's a valid point.

svn+ssh requires server-side accounts to be set up (the last time I
checked?) and is not expected to perform as well. It does not seem as
flexible in terms of controlling read and write accesses to resources as

Kerberos is an option I am looking into it - but we do not use Kerberos
today so it might be a much larger change. Even with Kerberos, I expect
the same sort of problems to occur related to performance of repeated
authorization/authentication on every webdav query.

There seems to be a lot of very different options with lots of pros +
cons for each and no clear winner. I can appreciate that one size might
not fit all, but it does seem that there is room for improvement in the
default model that would allow it to be used by more teams without


Mark Mielke <mark_at_mielke.cc>
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-11-02 21:26:34 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.