On Wed, 2005-09-14 at 18:34 +0200, Alexander Kitaev wrote:
> Same goes for JavaSVN - I'm not against encrypting passwords, and as you see
> I already suggested a more or less suitable approach for Subclipse and will
> add it soon (using standard Eclipse keyring), but you have to realize, that
> with other, more global things set up insecurely, this encryption will do
> nothing. And setting up some system-wide security policy will make all that
> local encryption unnecessary (for instance, you may hold your personal data
> with you on a usb memory stick with biometric identification [without any
> sarcasm]). I think Subversion team was lead by the same attitude when they
> decided not to ecrypt passwords for "http" and "svn" protocols. Same for
> passphrase, in case you're not using ssh-agent it should be defined in
> Subversion configuration file as plain text.
I agree that having a balanced response and approach to security is the
right thing to do. Certainly many people have some surprising holes in
their systems that make Subversion's approach the least of their
worries. However, I still think it would be better for Subversion (and
JavaSVN) not to add to the problem in a way that users cannot change.
> And regarding JavaSVN, as I wrote it is a configurable library - one could
> customize it with any kind of credentials storage policy. There is nothing
> wrong with JavaSVN and no security holes left there intentionally.
>
> The default credentials caching uses the same approach as Subversion command
> line client. What I'm going to do is add one more option to use Eclipse
> keyring. Next step will be to add something that will be completely
> unbreakable, will use ssh-agent and private keys, etc. But that will
> probably take the same time it took to write the whole library. In case
> there are developers who would like to add this options - I only would
> appreciate that.
I like this road-map. I would offer to help on this but I am a bit
overloaded for the next three to six months so it would be silly of me
to do so just now. Sorry.
--
Russel.
====================================================
Dr Russel Winder +44 20 7585 2200
41 Buckmaster Road +44 7770 465 077
London SW11 1EN, UK russel@russel.org.uk
Received on Thu Sep 15 18:09:33 2005