On Sat, Oct 16, 2010 at 10:00 AM, Stefan Sperling <s...@elego.de> wrote:
> It should be noted that, in our community, contributing towards such
> goals will also require compromise. Which people concerned about security
> are rarely willing to make ("good enough" isn't good enough, it needs to
> be as good and secure as it can possibly be).
Certainly compromises are necessary in life. I've *been* compromising,
I'm helping peoplle get svn+ssh working and publishing notes on
getting it working.
> I share Nico's concerns, and when I did (successfully) try to get the
> behaviour changed, the community was OK with adding a prompt, but not
> with dropping the feature entirely. Which I would have happily done if
> people had let me do it. But fair enough, the community's decision is
> binding, and overrules my own, personal, opinion.
How did "the community" vote? I'm glad to see the query, I really am.
It's a step forward. But the person who owns the central repository is
the only one whose "vote" really counts, unless others want to write
a fork. Who stopped you?
> So I don't think Nico will ever get what he wants, no matter how much
> he'll be ranting about it or be trying to actually contribute towards
> getting this feature removed.
Would patch files for the config files help to get it enabled by
default help? I can send them.
> And I suppose he won't be happy with GPG support either.
I'd be happy if you'd call it it by its correct name. It's not GPG
support. It's gpg-agent support, which is a local daemon for providing
access to unlocked GPG keys. It's a great widget, I've used it, and
I'd love to see it in the Subversion code base. It would allow admins
to prevent the use of the existing older releases and enforce an
upgrade to a more securite technology. Go, Dan Engel for submitting
it!
> What he really wants is an alternate-universe Subversion which never
> had the plaintext password storage feature in the first place.
I'd settle for being able to block that local use on the server side:
that means a structural change. Hopefully, this gpg-agent shift will
provide that. Unfortunately, the 1.7 code base has already blown by
its release date, and RHEL 6 is already in feature freeze. We've
missed the window of opportunity: expect it to be another 4 years
before the next major release and Subversion update for their core
distribution.
I'd still be happy to see it and be delighted to double check and
submit it to RPMforge for updates.
> Precisely. There's no one-size-fits-all solution.
> Well, there is one on Windows and Mac because they have standard password
> stores. But in the Linux/UNIX world there isn't.
>
> Stefan
