At 10:59 AM 5/24/2005 -0700, Heikki Toivonen wrote:
Ramaswamy S wrote:
> On 5/24/05, Mike Taylor <[EMAIL PROTECTED]> wrote:
>>No - it's cached by the client in a per-project file that is read-only
>>by the user - very similiar to what .cvspass is/does
>>
> That's what I also said :-) . svn cmds that require auth have a
> --no-auth-cache option - but that would mean typing credentials every
> time.
So it seems like the svn server stores passwords in a clear text file
unless you are using svn+ssh or https with client certs. NOT nice.
That's not what Mike or Ramswamy said; they that svn *clients* store
passwords in a clear text file. Nobody said anything about how the server
stores them.
Finally information about clients that cache client passwords but don't
store the passwords in the clear would be nice to have.
Unless you share a machine with somebody else and the machine has no
effective security, plain-text password caching is not a real issue unless
you expect the machine to be physically stolen and broken into. However,
if you were using a certificate, the exact same failure point exists, so
there's no real security improvement to be had here. Plain SVN over SSL
should more than suffice, as long as you exercise reasonable precautions
with respect to your password. However, because your client can cache the
password, you can use a longer and harder-to-remember password than you
otherwise might.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Open Source Applications Foundation "Dev" mailing list
http://lists.osafoundation.org/mailman/listinfo/dev
