You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Stefan Sperling <st...@elego.de> on 2008/08/15 00:25:11 UTC
[PATCH] Update AHHH! entry in FAQ
Hi,
here's an update to the entry about plaintext password
caching in the FAQ:
[[[
* www/faq.html
(plaintext-passwords): Explain features which will be added
in 1.6. Also, remove a remark about trusting the OS to protect
plaintext data. This won't convince people who are concerned about
not saving passwords in plaintext. In their minds, plaintext
password data in the filesystem usually *is* the weakest
link in a chain of security measures.
]]]
OK?
Stefan
Index: www/faq.html
===================================================================
--- www/faq.html (revision 32474)
+++ www/faq.html (working copy)
@@ -3075,14 +3021,19 @@
<p>On Mac OS X, svn 1.4 and later uses the system Keychain
facility to encrypt/store your svn password.</p>
-<p>On UNIX/Linux, there are no standard system encryption facilities,
-so the password is stored in ~/.subversion/auth/. Notice, however,
+<p>Subversion 1.6 will address this issue for UNIX/Linux.
+Support for Gnome-Keyring and KDEwallet has been implemented,
+both of which facilitate storing passwords on disk encrypted.
+The client will fall back to caching your password in plaintext
+if neither of these programs are available, but it has also been
+changed to never cache a password in plaintext without asking first.</p>
+
+<p>With Subversion 1.5 and earlier, on UNIX/Linux, the password can
+only be stored in plaintext in ~/.subversion/auth/. Notice, however,
that the directory which contains the cached passwords (usually
~/.subversion/auth/) has permissions of 700, meaning only you can read
them.</p>
-<p>Trust your OS to protect data on disk.</p>
-
<p>However, if you're really worried, you can permanently turn off
password caching. With an svn 1.0 client, just set 'store-auth-creds
= no' in your run-time config file. With an svn 1.1 client or later,
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Update AHHH! entry in FAQ
Posted by Arfrever Frehtes Taifersar Arahesis <ar...@gmail.com>.
2008-08-15 02:25:11 Stefan Sperling napisaĆ(a):
> Hi,
>
> here's an update to the entry about plaintext password
> caching in the FAQ:
>
> [[[
>
> * www/faq.html
> (plaintext-passwords): Explain features which will be added
> in 1.6. Also, remove a remark about trusting the OS to protect
> plaintext data. This won't convince people who are concerned about
> not saving passwords in plaintext. In their minds, plaintext
> password data in the filesystem usually *is* the weakest
> link in a chain of security measures.
>
> ]]]
>
> OK?
>
> Stefan
>
> Index: www/faq.html
> ===================================================================
> --- www/faq.html (revision 32474)
> +++ www/faq.html (working copy)
> @@ -3075,14 +3021,19 @@
> <p>On Mac OS X, svn 1.4 and later uses the system Keychain
> facility to encrypt/store your svn password.</p>
>
> -<p>On UNIX/Linux, there are no standard system encryption facilities,
> -so the password is stored in ~/.subversion/auth/. Notice, however,
> +<p>Subversion 1.6 will address this issue for UNIX/Linux.
> +Support for Gnome-Keyring and KDEwallet has been implemented,
s/Gnome-Keyring and KDEwallet/GNOME Keyring and KWallet/
> +both of which facilitate storing passwords on disk encrypted.
> +The client will fall back to caching your password in plaintext
> +if neither of these programs are available, but it has also been
> +changed to never cache a password in plaintext without asking first.</p>
> +
> +<p>With Subversion 1.5 and earlier, on UNIX/Linux, the password can
> +only be stored in plaintext in ~/.subversion/auth/. Notice, however,
> that the directory which contains the cached passwords (usually
> ~/.subversion/auth/) has permissions of 700, meaning only you can read
> them.</p>
>
> -<p>Trust your OS to protect data on disk.</p>
> -
> <p>However, if you're really worried, you can permanently turn off
> password caching. With an svn 1.0 client, just set 'store-auth-creds
> = no' in your run-time config file. With an svn 1.1 client or later,
>
+1.
--
Arfrever Frehtes Taifersar Arahesis
Re: [PATCH] Update AHHH! entry in FAQ
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Stefan Sperling wrote on Fri, 15 Aug 2008 at 02:25 +0200:
> Index: www/faq.html
> ===================================================================
> --- www/faq.html (revision 32474)
> +++ www/faq.html (working copy)
> @@ -3075,14 +3021,19 @@
> <p>On Mac OS X, svn 1.4 and later uses the system Keychain
> facility to encrypt/store your svn password.</p>
>
> -<p>On UNIX/Linux, there are no standard system encryption facilities,
> -so the password is stored in ~/.subversion/auth/. Notice, however,
> +<p>Subversion 1.6 will address this issue for UNIX/Linux.
> +Support for Gnome-Keyring and KDEwallet has been implemented,
> +both of which facilitate storing passwords on disk encrypted.
> +The client will fall back to caching your password in plaintext
> +if neither of these programs are available, but it has also been
^
It needs to be available and enabled at compile time *and* at run time --
maybe say that explicitly?
> +changed to never cache a password in plaintext without asking first.</p>
^^^^^
<em> around this word?
> +
> +<p>With Subversion 1.5 and earlier, on UNIX/Linux, the password can
> +only be stored in plaintext in ~/.subversion/auth/. Notice, however,
> that the directory which contains the cached passwords (usually
> ~/.subversion/auth/) has permissions of 700, meaning only you can read
> them.</p>
>
> -<p>Trust your OS to protect data on disk.</p>
> -
> <p>However, if you're really worried, you can permanently turn off
> password caching. With an svn 1.0 client, just set 'store-auth-creds
> = no' in your run-time config file. With an svn 1.1 client or later,
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org