[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: plaintext passwords - my 0.02c

From: Paul J R <me_at_pjr.cc>
Date: 2006-07-19 04:36:19 CEST

>
>
> Andy Levy wrote:
>
> > IOW, because one feature of the system can't be trusted (protection
> > passwords when using svnserve w/o ssh), the entire system cannot be
> > trusted by Paul's management, even though one can use the system
> > without even touching said feature.
>
> It was one of my first reactions as well: When I've suggested here it's a
> bad policy and should be avoided, some folks have carped "well, if you
> can't
> trust the local machine, what are you doing running a server? noob."

Unfortunately, that's a bit of an over simplification of the matter. You've
got to remember that these guys are all about "risk mitigation". Don't get
him wrong, they trust OS/Software/Hardware as much as they have to, but in
the real world exploits come out for software and OS's on a daily basis and
its just not something you can push to the side and assume your OS or the
software running on it is 100% safe.

Its basically why they exist in the first place, to determine what risk a
particular product introduces to a platform and of course to answer the
question "is it worth it".

>
> > My snarky comeback to that is that I'll bet these same managers use IE
> > with the default ActiveX settings, which is far worse than anything
> > Subversion might expose them to.
>
> Heh. But no need for this snark. The developers seem to actually be fixing
> this, for which I'm very glad. Fortunately for us, the Subversion core
> developers don't just slap patches in willy-nilly: they think about what
> they're adding and what it solves, and whether it's worth it, so it takes
> them a bit longer. And since Subversion now runs on so very many
platforms,
> I suspect this will take a bit more testing than a lot of patches.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 19 04:37:35 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.