Hadmut Danisch <hadmut_at_danisch.de> writes:
> My proposal, all I ask for is this:
>
> - Never ever store a password in clear on disk without explicit user
> consent.
> - Forget about the store* config values.
> - Provide a special command line flag --store-password
> - If that's not given, don't store the password. No default behaviour to
> store passwords,
> no accidential storage of passwords.
>
> - print a warning message *before* transmission if a password is to be
> used without wire
> encryption (i.e. a HTTP connection)
>
> If the user wants a password is to be stored:
>
> - store the server name, the protocol (HTTPS/HTTP) and the
> certificate as well (certificate is already stored, but link it to the
> password)
>
> - When a password was sent over a HTTPS connection, avoid to send it
> over HTTP. distinguish protocols.
>
> - A given password must (should) not be used automatically for any
> different SVN respository
> (could be a booby trap) .
Some of these seem like good ideas (although we should still offer a
config option for those who *want* to store passwords always). I don't
have time to evaluate them carefully, unfortunately, even though there
are many questions I would ask.
Can you propose them on the dev@ list, in a compact mail that avoids
using phrases like "bad design" to describe conscious decisions that
were publicly discussed at the time they were made, and that are not
(properly speaking) "design" questions at all?
Remember that the current defaults are the product of a *lot* of
discussion and experimentation, back when Subversion was young. The
decisions were not made lightly. Every idea that decreases convenience
to increase security will be scrutinized carefully; suggestions that
increase security without significantly decreasing convenience have a
much better chance of succeeding.
> I believe that's much more simple and comprehensible than it is now.
Hm? :-) Nothing could be more simple and comprehensible than it is now:
it is already as simple and comprehensible as it can possibly be,
namely, that Subversion remembers your password and you don't have to do
anything special.
The weakness of the current way is not lack of simplicity or
comprehensibility. It's that it stores plaintext on disk (albeit
permission-protected). We've never claimed this is ideal; it was a
conscious trade-off. I think any part of your suggestions that can
purely improve the situation will be welcome. To the extent that you
propose different trade-offs, that may or may not fly, I can't say how
it will turn out.
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-21 19:06:16 CET