Author: hartmannathan
Date: Thu Apr 27 13:27:41 2023
New Revision: 1909457
URL: http://svn.apache.org/viewvc?rev=1909457&view=rev
Log:
In site/staging: Document r1909351 (plaintext cache supported by default)
* site/staging/docs/release-notes/1.15.html:
(#plaintext-passwords-supported): New subsection.
Reviewed by: jcorvel (without HTML markup)
Modified:
subversion/site/staging/docs/release-notes/1.15.html
Modified: subversion/site/staging/docs/release-notes/1.15.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/docs/release-notes/1.15.html?rev=1909457&r1=1909456&r2=1909457&view=diff
==============================================================================
--- subversion/site/staging/docs/release-notes/1.15.html (original)
+++ subversion/site/staging/docs/release-notes/1.15.html Thu Apr 27 13:27:41
2023
@@ -429,6 +429,67 @@ performance and reduced storage-level I/
title="Link to this section">¶</a>
</h3>
+<div class="h4" id="plaintext-passwords-supported">
+<h4>Plaintext credential cache is supported by default on Unix-like systems
+ <a class="sectionlink" href="#plaintext-passwords-supported"
+ title="Link to this section">¶</a>
+</h4>
+
+<p>Subversion supports several credential caches to prevent re-typing
+usernames and passwords repeatedly. Which credential cache(s) are used depends
+on the operating system, compile-time options, and the user's runtime
+configuration. On Windows and macOS, Subversion uses OS facilities to save
+passwords in encrypted form. Unix-like operating systems do not have a single
+standard facility to do this; on these systems, Subversion supports up to
+four credential caches: GNOME Keyring, KWallet, GPG Agent, and (as a fallback)
+the Plaintext cache.</p>
+
+<p>The rest of this section discusses the Plaintext cache and is applicable
+only to Subversion clients running on Unix-like operating systems.</p>
+
+<p>In Subversion 1.12 through 1.14, write access to the Plaintext cache was
+disabled by default at <em>compile-time</em>. Binaries compiled in the default
+configuration could not store new plaintext credentials, but would continue to
+use any that were already stored. Users and binary packagers could explicitly
+enable write access to the Plaintext cache by compiling Subversion with the
+<tt>--enable-plaintext-password-storage</tt> option to <tt>configure</tt>.
+(See <a href="https://svn.apache.org/r1845377";>r1845377</a>.)</p>
+
+<p>Unfortunately, this has caused a variety of problems for users, especially
+when using the svn client in unattended processes such as CI systems, or on
+remote machines through ssh (a GUI password prompt would display on the remote
+machine, inaccessible to the ssh user). Users reported that they had to employ
+workarounds that caused passwords to be stored in plaintext anyway, or refused
+to upgrade their Subversion installations to these releases. Some binary
+packagers built with <tt>--enable-plaintext-password-storage</tt> while others
+didn't, creating inconsistent experiences within the same release lines.</p>
+
+<p>Based on the feedback received, Subversion 1.15 inverts the default. (See
+<a href="https://svn.apache.org/r1909351";>r1909351</a>.) Binaries compiled in
+the default configuration can once again store new plaintext credentials
+(after warning and asking the user). Sites that wish to eliminate this
+possibility can do one or both of the following:</p>
+
+<ul>
+<li>Compile Subversion with the <tt>--disable-plaintext-password-storage</tt>
+ option to <tt>configure</tt> or install a binary package that was compiled
+ this way. Be aware that users can circumvent this by compiling or
+ installing their own Subversion binaries and/or by creating a plaintext
+ cache manually.</li>
+<li>Allow encrypted stores like GNOME Keyring and KWallet, but not the
+ Plaintext cache, by setting <tt>store-plaintext-passwords = no</tt> in
+ Subversion's run-time config settings. See the per user files at
+ <tt>~/.subversion/config</tt> and <tt>~/.subversion/servers</tt>, and the
+ systemwide files at <tt>/etc/subversion/config</tt> and
+ <tt>/etc/subversion/servers</tt>.</li>
+</ul>
+
+<p>For more on plaintext credentials, see the <a
+href="https://subversion.apache.org/faq.html#plaintext-passwords";
+>FAQ entry.</a></p>
+
+</div> <!-- plaintext-passwords-supported -->
+
</div> <!-- client-server-improvements -->
</div> <!-- enhancements -->
