You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Ben Collins-Sussman <su...@red-bean.com> on 2006/02/28 01:37:33 UTC
the report from PyCon
So I went to PyCon in Dallas last thursday-sunday, along with Fitz and
a bunch of other Googlers. Fitz gave a great 30-minute talk on the
history of cvs2svn.py, and I gave a goofy 5-minute lightning talk
about some IRC bots I've been writing. All in all, very much a fun
conference.
Re: the report from PyCon
Posted by kf...@collab.net.
Greg Hudson <gh...@MIT.EDU> writes:
> On Mon, 2006-02-27 at 19:37 -0600, Ben Collins-Sussman wrote:
> > * He heavily
> > recommends we take a look at it, that it's much better than
> > svnserve's CRAM-MD5.
>
> The cram-md5 code is there because it's (1) implementable in a very
> small amount of code, and (2) a defined SASL mechanism. I have no
> illusions that it has good authentication properties, except that an
> attacker listening to the network would have a very difficult time
> recovering the password.
>
> I don't want to see us adding more original authentication code to
> svnserve, particularly if it's not a defined SASL mechanism. Instead, I
> want someone to write code to link ra_svn and svnserve against a SASL
> library which will do all this work for us. We know there are some
> issues there, and it's not an easy bit of glue to write, but more
> homegrown crypto does not seem like the answer.
Agreed.
(Also think CRAM-MD5 is not so bad, because it's simple to understand
and its end-point weaknesses are easy to explain.)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: the report from PyCon
Posted by Greg Hudson <gh...@MIT.EDU>.
On Mon, 2006-02-27 at 19:37 -0600, Ben Collins-Sussman wrote:
> * He heavily
> recommends we take a look at it, that it's much better than
> svnserve's CRAM-MD5.
The cram-md5 code is there because it's (1) implementable in a very
small amount of code, and (2) a defined SASL mechanism. I have no
illusions that it has good authentication properties, except that an
attacker listening to the network would have a very difficult time
recovering the password.
I don't want to see us adding more original authentication code to
svnserve, particularly if it's not a defined SASL mechanism. Instead, I
want someone to write code to link ra_svn and svnserve against a SASL
library which will do all this work for us. We know there are some
issues there, and it's not an easy bit of glue to write, but more
homegrown crypto does not seem like the answer.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org