[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svnserve passwd plaintext

From: Les Mikesell <lesmikesell_at_gmail.com>
Date: 2006-07-15 17:19:13 CEST

On Sat, 2006-07-15 at 09:39, jason@subversus.org wrote:
> Well, being that an administrator can generally reset a password (at which
> time they then know exactly what the password is), I really don't see the
> difference. Sorry, your logic is lacking.

There are two real issues with plaintext passwords even if you
trust the adminstrator. One is that vulnerabilities happen and
files end up in the wrong hands in spite of the best intentions.
The other is that it is human nature to reuse passwords. Even
if you trust the admin with access to the subversion files you
may not trust him to have access to other unrelated accounts
where you might have used that same password.

But, doesn't apache run everywhere that svnserver would? What
situation would prevent you from using https and mod_dav_svn?
You should be able to run another instance on a different port
if you are already using 443 for a different service or someone
else manages the running apache instance.

  Les Mikesell
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Jul 15 17:16:48 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.