[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: plaintext passwords - my 0.02c

From: Andy Levy <andy.levy_at_gmail.com>
Date: 2006-07-18 16:01:00 CEST

On 7/18/06, Samay <getafix123@hotmail.com> wrote:
> Paul,
> most are aware that subversion (mod_dav_svn) allows for single-sign-on which
> is very well suited for security minded corporate environment and no
> passwords are ever transmitted (when used with GSSAPI/Kerberos -
> KrbMethodK5Passwd off) and no passwords are stored either. This should also
> be possible to setup with svn+ssh with ssh (+ GSSAPI) although i have not
> yet had need to test it.
> You will agree above is better thn having to store password clear text or
> encrypted or encoded irrespective.
> so IMO, your conclusions are invalid and ur 0.02c worth not correct. If one
> wants secure setup, they need to set it up secure, grounds up. Subversion
> doesnt restrict you, infact it allows u to use security model best suited to
> ur requirements.

I think you've misread Paul's post. What I gathered from it was that
while he's in support of Subversion, his management is not. Paul's
management is of the (incorrect, IMHO) belief that because Subversion
*allows* one to set the system up with plain-text passwords stored
(using "naked" svnserve), there must be other security problems
elsewhere in the code.

IOW, because one feature of the system can't be trusted (protection
passwords when using svnserve w/o ssh), the entire system cannot be
trusted by Paul's management, even though one can use the system
without even touching said feature.

My snarky comeback to that is that I'll bet these same managers use IE
with the default ActiveX settings, which is far worse than anything
Subversion might expose them to.

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 18 16:03:05 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.