[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH]: Add --password-file and --password-envvar

From: Martin Furter <mfurter_at_bluewin.ch>
Date: Tue, 08 Jul 2014 08:08:41 +0530

Again reply to the list too :)

GUI's which change buttons etc. depending on whatever they like are bad...

On 07/08/14 08:02, Martin Furter wrote:
> On 07/08/14 03:33, Ben Reser wrote:
>> On 7/6/14 5:16 AM, Martin Furter wrote:
>>> Attached is a log message and a patch which adds the new options
>>> '--password-file' and '--password-envvar'. It also adds Julians
>>> warning to the
>>> '--password' help text.
>> I veto (-1) --password-envar (and peters follow-up suggestion of a
>> hard-coded
>> environment variable). As several other people have shown the
>> environment of a
>> running program is often just as available as the command line
>> arguments. The
>> whole point of this exercise is to improve the security of the manner
>> in which
>> we allow passwords to be provided in order to guide users to make good
>> choices.
>> We're not achieving anything if we only provide them with new insecure
>> choices.
> On Linux I see only the environment of my own processes. On OpenBSD I
> see only HOME and PATH for other users. So envvar seems to not be less
> secure than a password file.
> If you really want to improve security the only option is using stdin.
> I had a patch for that ready. But then people started wishing other
> things so I just implemented without thinking too much :)
> - Martin

Received on 2014-07-08 04:39:22 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.