On Mon, Feb 22, 2021 at 1:17 PM CoolCold <coolthec...@gmail.com> wrote: > > Good day! > (please CC me, I'm not subscribed to the list) > > A bit of context: > I was using subversion to store my serves' configs versioned for > almost a decade, with bash wrapping around it. Simplified, it had repo > per server name, wrapper called by cron to checkout, rsync over, > commit changes back, sending email on diffs ( > https://github.com/coolcold/svnbackup ). Had no issue with it, when > password store was enabled. It's runned under root user and saved > credentials are not exposed to non-admin users on the system. > > Issue: with recent changes hitting packages in distributions ( > https://marc.info/?l=subversion-commits&m=154101482302608&w=2 ), that > seems to be not possible anymore. > I did adjust my script to use command line switch --password, but this > makes it visible for anyone who does simple commands like ps aux. > I've tried to look around for possible support of environment > variables / password file support, but couldn't find any except some > old proposals like > http://subversion.1072662.n5.nabble.com/Feature-proposal-SVN-USERNAME-and-SVN-PASSWORD-environment-variables-td180031.html > > Rebuilding subversion from source is not an option for many reasons. > > Seeking for your help on this, what is the proper way of doing this > with recent versions? > Thanks in advance.
Hello, Recent versions (1.12.x and newer [1]) by default don't _save_ passwords to disk in plaintext (unless configured to do so at build-time). However, Subversion will _use_ the password, if it is already stored on disk. So, as a workaround, you could use some out-of-band method to save the password to disk either by using an older SVN client or by generating a file with the right bits in it: In a recent discussion on our dev mailing list, there is an example shell script (for zsh) that saves a password file. See [2] and note that there were a few corrections to the script so be sure to use the latest version in that mail list thread. [1] https://subversion.apache.org/docs/release-notes/1.12.html#client-server-improvements [2] https://lists.apache.org/thread.html/r0eef40236aeddd1db18bc7882454dd3b18bcd721d8fd8c9e21aca52a%40%3Cdev.subversion.apache.org%3E I hope the above is helpful; feel free to ask as many questions as you need to, or propose improvements to the above-mentioned script or Subversion itself. We have gotten quite a few questions about this and it has been frustrating for anyone who uses svn as part of cron jobs in non-X environments, where the available encrypted password stores, Kwallet and Gnome-keyring, aren't much help, and GPG-Agent doesn't persist the passwords indefinitely. We would be really grateful if someone could propose a solution that works well in these scenarios while alleviating people's concerns about storing passwords on disk in plaintext. Cheers, Nathan
