Author: stsp
Date: Sat Apr 13 12:31:17 2013
New Revision: 1467608
URL: http://svn.apache.org/r1467608
Log:
* site/publish/docs/release-notes/1.8.html: Expand gpg-agent password store
documentation, including a description of security implications.
Modified:
subversion/site/publish/docs/release-notes/1.8.html
Modified: subversion/site/publish/docs/release-notes/1.8.html
URL:
http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/1.8.html?rev=1467608&r1=1467607&r2=1467608&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/1.8.html (original)
+++ subversion/site/publish/docs/release-notes/1.8.html Sat Apr 13 12:31:17 2013
@@ -955,25 +955,52 @@ administrator who wants to use the featu
</h3>
<p>Subversion 1.8 allows the use of the GnuPG Agent (gpg-agent) daemon
-to temporarily store passwords/passphrases used in Subversion server
-credentials.</p>
+to temporarily store Subversion passwords in memory.</p>
-<p>To take advantage of this, you'll need Subversion binaries built
-with gpg-agent support (which is the default on UNIX-like systems),
-the agent itself, and a suitable pinentry program.
-The agent must be running, and the Subversion client will
+<div class="notice">
+<p>This feature does <em>not</em> use PGP to encrypt passwords on disk!
+Rather, it caches passwords in memory (in plaintext) instead of saving
+them to disk.</p>
+</div>
+
+<p>To take advantage of this password cache, you'll need Subversion binaries
+built with gpg-agent support (which is the default on UNIX-like systems),
+the gpg-agent itself, and a suitable pinentry program which the gpg-agent
+will use to ask the user for the password.
+The gpg-agent must be running, and the Subversion client will
need the <tt>GPG_AGENT_INFO</tt> and <tt>GPG_TTY</tt> environment
-variables set correctly in order to make use of this storage
-mechanism. See <a
href="http://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html";>this
page</a> for more information about
+variables set up correctly.
+See <a
href="http://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html";>this
page</a> for more information about
running the gpg-agent.</p>
-<p>Note that GnuPG Agent does not persist information on disk —
-your cached passwords will persist in memory until the agent process
-is terminated or its configured time-to-live threshold is reached.
-Note also the (in)security details of this password cache, currently
-recorded as a code comment <a
-href="http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/gpg_agent.c?r1=1151053&r2=1151069";
->here</a>.</p>
+<p>Cached passwords will persist in memory until the agent process
+is terminated, its configured time-to-live threshold is reached, or a
+HUP signal is sent to the daemon using the UNIX <tt>kill(1)</tt> utility.</p>
+
+<div class="h4" id="gpg-agent-security">
+<h3>SECURITY CONSIDERATIONS
+ <a class="sectionlink" href="#gpg-agent-security"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>Communication to the gpg-agent happens over a UNIX socket, which is
+located in a directory which only the user running Subversion can access.
+However, any program the user runs could access this socket and get
+the Subversion password if the program knows the "cache ID" Subversion
+uses for the password.</p>
+
+<p>The cache ID is very easy to obtain for programs running as the same user.
+Subversion uses the MD5 of the realmstring as cache ID, and these checksums
+are also used as filenames within <tt>~/.subversion/auth/svn.simple</tt>.
+Unlike with GNOME Keyring or KDE Wallet, the user is not prompted for
+permission if another program attempts to access the password.</p>
+
+<p>Therefore, while the gpg-agent is running and has the password cached,
+the password cache is no more secure than a file storing the password in
+plaintext.</p>
+
+</div> <!-- gpg-agent-security -->
+
</div> <!-- gpg-agent -->
<div class="h3" id="fsfs-enhancements">
