On Sat, Oct 16, 2010 at 4:43 AM, Erik Huelsmann <ehuels_at_gmail.com> wrote:
> Hi Nico,
>
>> I'd love to see this deployed, and love to see the protocol updated
>> enough to block the use of the older, less secure clients. But 1.7 has
>> already blown well past its release date of "this summer. If it's not
>> in feature freeze, I'll be pleasantly surprised to see such a feature.
>>
>> And let's be clear: I started ranting about this back in..... 2006?
>> 2005? The changes have been positive, but hardly complete.
>
> I'm affraid "ranting about it" does not really help: it puts
> Subversion in a bad light, but doesn't really solve anything. So,
> instead of just stating what's wrong all the time, it would be nice if
> you started actually contributing toward the goals you think need to
> be achieved.
I do. Both by explaining the real risks, and pointing out the tools
that do work. (svn+ssh, and keeping your passwords for Subversion
separate from your system passwords.)
> By the way: there are users (lots) who are actually not at all that
> uncomfortable with the current situation: I'm my own sysadmin with no
> network disks around. There's nothing to be hidden on this system.
> There are many others with situations alike, so plainly removing the
> current support is *no* option for me, unless you offer me a
> password-less alternative which also doesn't introduce additional
> setup requirements.
And I'd like a pony. More seriously, "doesn't introduce additional
setup requirements" is an amazingly high bar for real world security.
The small vulnerabilities stack up to a far too common, vulnerable set
up that exists world wide.
More seriously,
Received on 2010-10-16 15:54:01 CEST