[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Password stored in clear text!

From: Garrett Rooney <rooneg_at_electricjellyfish.net>
Date: 2006-08-22 03:31:01 CEST

On 8/21/06, Nico Kadel-Garcia <nkadel@comcast.net> wrote:

> Well, yes. But you have to say that.

Umm, no, I don't /have/ to say anything.

> Your statement that "It's stored with
> permissions such that you're the only user who can read it" is blatantly
> incorrect.

No, it's not. It may be incorrect for /your/ situation, but it is not
incorrect for the vast majority of users.

> Moreover, since more users are using LDAP or even NIS based
> single-sign-on systems to manage their user accounts for Subversion, it's
> leaving a gaping security hole that is a serious risk to using Subversion by
> any means other than local file access, or ssh+svnserve. Plain-text
> passwords are an old and serious security problem: they shouldn't be
> ignored..

You're welcome to come up with another solution that more adequately
addresses your own needs. At this point, we have several options that
don't require local caching of passwords, the ones you mentioned are
some, others are using a win32 client (which will encrypt the data
using your windows credentials) or in 1.4.x a Mac OS X client (the
passwords will be stored in Keychain, similar to the state of things
on windows). When options other than the unencrypted file present
themselves we've taken advantage of them, if those options are not
available to you then you can use svn+ssh:// or you can type in the
damn password when it's needed, but don't act as if we're putting our
heads in the sand and ignoring the problem, because there are numerous
solutions to it around if you care enough to look for them.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Aug 22 03:32:16 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.