On Wed, 2010-12-01 at 14:08 +0100, Stefan Sperling wrote: > However, I still see a potential risk here because the name > "gpg-agent" > is very misleading. It violates the principle of least surprise. > How can we prevent users misunderstanding what "Subversion's gpg-agent > feature" does from entering their private pgp key passphrase (which > will > then be sent to the server)? Can we control the prompt printed by > gpg-agent? ("Enter your Subversion password, NOT your secret PGP > passphrase!")
Yes, the agent protocol provides for customized prompts, and the patch itself refers to the Subversion repository server (or something like that) in that prompt. I have no emotional investment in the gpg-agent idea (aside from the "don't re-invent the wheel argument"), but here's my $0.02: I think most people who know enough to use gpg agent (it's a bit more involved to set up, etc. than things like gnome-keyring) probably understand what it does well enough to not make that mistake. Also, in most corporate or enterprise environments (where the stakes are really high) Subversion will be installed and set up by administrators (who *better* know what they're doing) and used by users who may not even know that gpg-agent is running in the background. All they get is a prompt for their subversion password. I know those lines get a little more blurred in Linux-land than in Windows-land, but I think the point is still a valid one. >From a purely personal point of view, I'd be happy with ANY disk or memory password cache for Subversion on Linux that is safe (security-wise) and doesn't rely on the presence of any GUI libraries or capabilities. The gpg-agent path was just the easiest one for me to implement directly. Thanks, -Dan