RE: svnserve passwd plaintext

From: Les Mikesell <lesmikesell_at_gmail.com>
Date: 2006-07-15 17:19:13 CEST

On Sat, 2006-07-15 at 09:39, jason@subversus.org wrote:
> Well, being that an administrator can generally reset a password (at which
> time they then know exactly what the password is), I really don't see the
> difference. Sorry, your logic is lacking.

There are two real issues with plaintext passwords even if you
trust the adminstrator. One is that vulnerabilities happen and
files end up in the wrong hands in spite of the best intentions.
The other is that it is human nature to reuse passwords. Even
if you trust the admin with access to the subversion files you
may not trust him to have access to other unrelated accounts
where you might have used that same password.

But, doesn't apache run everywhere that svnserver would? What
situation would prevent you from using https and mod_dav_svn?
You should be able to run another instance on a different port
if you are already using 443 for a different service or someone
else manages the running apache instance.

-- 
  Les Mikesell
    lesmikesell@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Received on Sat Jul 15 17:16:48 2006

This message: [ Message body ]
Next message: Ryan Schmidt: "Re: tracking of a third party svn repository"
Previous message: jason_at_subversus.org: "RE: svnserve passwd plaintext"
In reply to: jason_at_subversus.org: "RE: svnserve passwd plaintext"
Next in thread: Duncan Murdoch: "Re: svnserve passwd plaintext"
Reply: Duncan Murdoch: "Re: svnserve passwd plaintext"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]