Philip Martin wrote on Fri, Feb 03, 2012 at 17:43:53 +0000: > Philip Martin <philip.mar...@wandisco.com> writes: > > > The KDE behaviour is a potential information leak. A random app can use > > the Subversion libraries to query a repo, if it can monitor whether > > such a query causes the KDE prompt to appear then it can determine > > whether or not the password for the repo is in the wallet. Since GNOME > > always prompts no such leak is possible. > > Thinking about this a bit further, it's not really a leak at all.
Agreed. We're left still with the original problem --- that kwallet prompts for unlock even if it doesn't contain the password, but gkeyring prompts for unlock regardless of whether it contains the password? > The information that is leaking is whether or not 'kwallet' is stored > in the .subversion/auth directory for a given repository. But any > application that is capable of triggering the leak would also be > capable of simply reading the .subversion/auth files. > > -- > uberSVN: Apache Subversion Made Easy > http://www.uberSVN.com
