Jens Vagelpohl wrote:

On 17 Jul 2005, at 13:24, Jim Fulton wrote:

- no need for clunky SSH key management

The key management doesn't have to be so clunky.  It's a shame
the current app is so bad, but not *quite* bad enough to make us
write a netter one.

You have to admit that machine accounts for everyone and a munged key that only allows executing the cvs binary is more of a hack than anything else...

It is a hack, in some ways.  It is also extremely elegent in some ways.
We use a proven mechanism, SSH that gives us good control over what people
can do, using a single mechanism to provide both svn and cvs access.

I suggest trying https and seeing how you like it.  In reading
about it, it seems awful.  It's been a while since I read about it,
but it either involved entering passwords on every action or
storing passwords in clear text.  I fine SSH, once set up, to be much
cleaner, easier, and more secure.

I've been using HTTP and HTTPS (not on my own repos yet) on several occasions and never had to e.g. re-enter passwords after the first time.

BTW, because I use SSH agent, I only need to enter my passphrase
once when I start a computer session.  That allows me to access
multiple SSH and CVS repository and to log into various machines
as necessary.  Pretty slick if you ask me.

> Here's a (possibly relevant) mailing list post I just dug up:

Here's what the SVN Red Book has to say about credentials caching:

So credentials do seem to get stored as cleartext, in the filesystem underneath $HOME/.subversion. Not sure how much of a problem that is, given the fact that normally home directories are well-protected. Unless you're using Windoze I suppose.

Compared to SSH key management, this seems like a huge hack to me.


Jim Fulton           mailto:[EMAIL PROTECTED]       Python Powered!
CTO                  (540) 361-1714  
Zope Corporation
Zope-Coders mailing list

Reply via email to