On Sat, Oct 16, 2010 at 4:43 AM, Erik Huelsmann <ehu...@gmail.com> wrote: > Hi Nico, > >> I'd love to see this deployed, and love to see the protocol updated >> enough to block the use of the older, less secure clients. But 1.7 has >> already blown well past its release date of "this summer. If it's not >> in feature freeze, I'll be pleasantly surprised to see such a feature. >> >> And let's be clear: I started ranting about this back in..... 2006? >> 2005? The changes have been positive, but hardly complete. > > I'm affraid "ranting about it" does not really help: it puts > Subversion in a bad light, but doesn't really solve anything. So, > instead of just stating what's wrong all the time, it would be nice if > you started actually contributing toward the goals you think need to > be achieved.
I do. Both by explaining the real risks, and pointing out the tools that do work. (svn+ssh, and keeping your passwords for Subversion separate from your system passwords.) > By the way: there are users (lots) who are actually not at all that > uncomfortable with the current situation: I'm my own sysadmin with no > network disks around. There's nothing to be hidden on this system. > There are many others with situations alike, so plainly removing the > current support is *no* option for me, unless you offer me a > password-less alternative which also doesn't introduce additional > setup requirements. And I'd like a pony. More seriously, "doesn't introduce additional setup requirements" is an amazingly high bar for real world security. The small vulnerabilities stack up to a far too common, vulnerable set up that exists world wide. More seriously,
