[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve passwd plaintext

From: Nico Kadel-Garcia <nkadel_at_comcast.net>
Date: 2006-07-15 15:54:48 CEST

----- Original Message -----
From: <jason@subversus.org>
To: <users@subversion.tigris.org>
Sent: Saturday, July 15, 2006 8:15 AM
Subject: RE: svnserve passwd plaintext

> This question has come up countless times (even very recently) on the
> list,
> and if you had searched, you probably would have found it. The
> counter-question in response is "why does it matter if the passwords are
> stored in plain text?". If you have your OS properly configured with
> respect to permissions on the svnserve passwords file, then there should
> be
> no concern. If you can't trust your OS to enforce security on a file, you
> probably shouldn't be using it.

Oh, please. it's a serious problem to have user passwords in a plain-text
format under any circumstances. People are putting Subversion on Windows
boxes, public servers. The servers and their configurations need to be
backed up: should the backups contain the user's plain-text passwords? And
how will you guarantee that users do not pick the same passwords for however
you set up svnserve.conf as they use for other logins, that you should not
as an admin know?

Even if you trust the OS, why should have to trust the administrator with
your plain-text passwords?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Jul 15 15:55:25 2006

This is an archived mail posted to the Subversion Users mailing list.