On Sat, 20 Jul 2019, 11:51 Stefan Sperling, <s...@elego.de> wrote: > > But as a user I find it infuriating when software I use contains > artificial restrictions like this.
We recently disabled plaintext password storage (by default) in the build configuration, making it effectively unavailable to users who don't build from source. The rationale for that decision was the same as for not permanently trusting certs with unknown failures. We should assume our users know > what they are doing. Subversion is not a web browser. > I will refrain from spelling out the snide remark that immediately comes to mind. :) What we *should* do is use any platform APIs available for cert validation, as I already mentioned on the other thread in my response to Evgeny's commit. One might wish that OpenSSL through Serf took care of that, but unfortunately it does not, so it's up to us. Given the growing popularity of Let's Encrypt's server certs with 3 months validity, the potential for user infuriation may be growing quite quickly. -- Brane >
