On 16/12/2009 22:37, naox wrote:
>> Actually, if plink (or TortoisePlink) is requesting the password, it STR
>> that plink should be responsible for saving it. Otherwise, plink would need
>> some method of passing it back to TortoiseSVN.
>>
> Of course plink is requesting password since TortoiseSVN failed to provide it :)
>
> This whole conversation is text book example how opensource is being developed. I covered all those reply topics in my first post, but nobody cared to read it carefully. Funny thing is I actualy don't use TortoiseSVN. A colegue asked me to make this request :)
>
In your original email you said that TortoiseSVN stores the passwords
for http and
https. And not for SSH.
I believe that passwords in TortoiseSVN are stored in plain text in the
Windows
Registry. If true TortoiseSVN doesn't take password security that
seriously. And
that means I don't want TortoiseSVN to store important passwords.
When you use HTTP/HTTPS you are granting access to the Subversion server but
not to the machine it is installed on. When you use SSH you may also
have a user
account on that machine. Stealing a SVN over SSH password is likely to
be more
profitable than stealing a SVN over HTTP password.
SSH stands for Secure Shell. Plain text storage of the password in the
Windows
Registry cannot be considered secure. If you want to store SSH passwords
on your
machine you want them to be stored in a single, simple, secure, very
well written,
basket. You don't spread the responsibility, and risk, of storing
passwords around
dozens of applications of high complexity.
If storing the SSH password in TortoiseSVN is really that important I'm
sure someone
will compile the password into TortoiseSVN for you.
Jonathan Paton
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2430994
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2009-12-17 01:09:17 CET