On Thu, Aug 06, 2020 at 06:56:55PM -0700, Robby Zinchak wrote: > 2) Compiling my own subversion with the enable-plaintext-password-storage > flag -- obviously insecure since there's no way I'll be able to keep up > with software updates. And I've heard it's quite difficult to compile > subversion, so that'll waste precious time I could be spending on something > else that's actually productive for my business. > > 3) Finding an ubuntu package overlay by a third party, questionably > insecure since now I have to trust an unofficial/unvetted third party with > providing svn builds. > > 4) Bite the bullet and just switch to another VCS
5) Convince Ubuntu packagers to enable this feature. Package maintainers can very easily re-enable this at compile-time. It's a single extra flag to pass to during the 'configure' step. I did exactly this on OpenBSD last year (commit shown below). The real problem is that whatever Subversion's upstream default is, one group of people is going to be unhappy. Everybody seems to expect their own use case to work out of the box, failing to recognize that contradictory requirements exist. There really isn't a one-size fits all solution to this. We provide all the options, but packagers need to choose and take the necessary steps to get the behaviour they want to provide to their users. A recent example in a related project (TortoiseSVN) where people want the exact opposite of what you want: https://groups.google.com/forum/#!topic/tortoisesvn/V3rLLYZgeRA In this case, the problem is that allowing people to easily sniff passwords is considered a big no-no in a particular deployment, and means SVN might get banned there. The behaviour was not changed; it is TortoiseSVN's choice as the packager of these particular SVN binaries, and this needs to be respected. Do you know if Ubuntu made a decision to disallow plaintext passwords? Perhaps they just missed the news that it has become a compile-time option? Regards, Stefan https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/devel/subversion/Makefile CVSROOT: /cvs Module name: ports Changes by: s...@cvs.openbsd.org 2019/12/19 12:43:14 Modified files: devel/subversion: Makefile Log message: Re-enable support for storing plaintext passwords in Subversion. Subversion has disabled saving of plaintext passwords by default and a compile-time option is now required to enable this feature. OpenBSD has always disabled this feature at run-time in /etc/subversion and left users the choice to enable it in their configuration files. Unfortunately, the alternative password stores, gnome-keyring and KDE wallet, do not work in non-X11 environments. And the gpg-agent password store is not persistent. So there is no better solution for unattended SVN password authentication in non-X11 environments on OpenBSD, or pretty much any UNIX-like system for that matter. ok sthen@
