Hadmut Danisch <hadmut_at_danisch.de> writes:
> Just read that:
>
> " Trust your OS to protect data on disk."
>
> That's nonsense. What do they believe why passwords stored by the
> operating system are usually hashed and salted?
>
> What makes them believe that exactly that OS will be in place all time?
>
> That sort of approach is really silly. If you can't do it in a secure
> way, than don't do it at all (at least not without explicit user
> consent).
>
> The really bad thing about this is that it not just compromises
> subversion, but can compromise the security of the whole LAN.
>
> Absolutely bad design.
There are three choices:
1) plaintext passwords stored on server and client, so that crypttext
travels over the wire.
2) plaintext travels over the wire (crypttext stored on server,
client always has to prompt -- if client doesn't prompt, then
"crypttext" just becomes a virtual plaintext)
3) some form of public key encryption
If you are using (3), then this discussion doesn't concern you; you can
set "store-passwords" to "no" in your config file and sleep easy. Try
the 'svn+ssh://' access method, for example.
If you're not using (3), then there are obvious tradeoffs between (1)
and (2); use whichever way is best for you.
And finally: "Don't complain; patches welcome" :-).
You are complaining about bad design, but not offering any solution. If
we *don't* store the passwords, then people will get prompted all the
time -- we already know people don't like that; in fact, it's a
showstopper for many users. You can see what the tradeoffs are here
(the same as they have been forever). If you have a constructive
suggestion to make, make it.
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-20 06:45:25 CET