On Wed, 2010-12-01 at 14:08 +0100, Stefan Sperling wrote:
> However, I still see a potential risk here because the name
> "gpg-agent"
> is very misleading. It violates the principle of least surprise.
> How can we prevent users misunderstanding what "Subversion's gpg-agent
> feature" does from entering their private pgp key passphrase (which
> will
> then be sent to the server)? Can we control the prompt printed by
> gpg-agent? ("Enter your Subversion password, NOT your secret PGP
> passphrase!")
Yes, the agent protocol provides for customized prompts, and the patch
itself refers to the Subversion repository server (or something like
that) in that prompt.
I have no emotional investment in the gpg-agent idea (aside from the
"don't re-invent the wheel argument"), but here's my $0.02:
I think most people who know enough to use gpg agent (it's a bit more
involved to set up, etc. than things like gnome-keyring) probably
understand what it does well enough to not make that mistake.
Also, in most corporate or enterprise environments (where the stakes are
really high) Subversion will be installed and set up by administrators
(who *better* know what they're doing) and used by users who may not
even know that gpg-agent is running in the background. All they get is a
prompt for their subversion password.
I know those lines get a little more blurred in Linux-land than in
Windows-land, but I think the point is still a valid one.
From a purely personal point of view, I'd be happy with ANY disk or
memory password cache for Subversion on Linux that is safe
(security-wise) and doesn't rely on the presence of any GUI libraries or
capabilities. The gpg-agent path was just the easiest one for me to
implement directly.
Thanks,
-Dan
Received on 2010-12-02 00:29:51 CET