stsp_at_apache.org wrote on Tue, Jul 26, 2011 at 12:11:06 -0000:
> Author: stsp
> Date: Tue Jul 26 12:11:05 2011
> New Revision: 1151069
>
> URL: http://svn.apache.org/viewvc?rev=1151069&view=rev
> Log:
> * subversion/libsvn_subr/gpg_agent.c: Add a comment that explains how this
> auth cache provider operates, including security considerations.
>
> Modified:
> subversion/trunk/subversion/libsvn_subr/gpg_agent.c
>
> Modified: subversion/trunk/subversion/libsvn_subr/gpg_agent.c
> URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/gpg_agent.c?rev=1151069&r1=1151068&r2=1151069&view=diff
> ==============================================================================
> --- subversion/trunk/subversion/libsvn_subr/gpg_agent.c (original)
> +++ subversion/trunk/subversion/libsvn_subr/gpg_agent.c Tue Jul 26 12:11:05 2011
> @@ -23,6 +23,36 @@
>
> /* ==================================================================== */
>
> +[four paragraphs of documentation comment]
Looks good :)
> + * Therefore, while the gpg-agent is running and has the password cached,
> + * this provider is no more secure than a file storing the password in
> + * plaintext.
Should the gpg-agent provider implement a "plaintext prompt" password
that explains this and asks the user's permission to do so?
Received on 2011-07-26 14:57:06 CEST