On Thu, Feb 3, 2022 at 1:31 PM Jeffrey Walton <noloa...@gmail.com> wrote: > I checked the man pages and could not find an answer... What > environmental variables does a subversion client use? > > The problem I am trying to solve is, I am being prompted for a > password in a script about 15 times. I want to know which variable to > use for a password to avoid the prompts.
Hi Jeffrey, Come to think of it, I don't think we have an exhaustive list of environment variables that a Subversion client (or server, for that matter) can use. That might be a useful thing to document. As far as I know, there isn't an environment variable for providing credentials. Regarding the password prompts for a scripted use case, there is an ongoing and long discussion on our development list about this issue. I assume you're on a Unix system (since you mentioned reading the man pages). Whereas on Windows and macOS, Subversion always uses encrypted credential caches (standard Windows API on Windows; Keychain on macOS), the situation is more complicated on Linux/Un*x systems, which do not have a single standardized solution for credential caching. So on these systems, Subversion can be built with support for several possible credential caches, including GNOME Keyring, KDE Kwallet, GPG-Agent, or a plaintext cache. Due to security concerns, the plaintext credential cache is disabled in the default build starting with Subversion 1.12, unless enabled at compile-time. However, that decision has made things more complicated for scripted/remote/headless use cases, which we have been hearing about. We're trying to find a solution that balances everyone's needs as well as possible. Meanwhile, back to the immediate issue: You can check which credential caches your SVN client was built with by running: $ svn --version and looking for "The following authentication credential caches are available:" in the output. KWallet and GNOME Keyring will probably prompt for a password once and then cache it in memory, probably until some timeout elapses. I looked into GPG Agent in the past and I think it is possible to make it never prompt for a password interactively, but when I tried to set this up to test it, I could not get it to work. Maybe others have more input on this. If you are in a trusted environment, you can pass --username and --password arguments to svn on the command line; I say "trusted environment" because this is not secure: the password becomes viewable, e.g., in ps. A slightly better solution could be to cache a plaintext password; earlier I mentioned that the plaintext cache is disabled by default since 1.12, but note that SVN clients will still use a cached plaintext password if it is already saved. (They just won't cache new passwords by that method.) There exists somewhere in our mail archives a script for zsh (which I can try to find if you want it) to manually cache a plaintext password, if you feel this is an acceptable solution. (There might also be a python script; I don't remember.) This FAQ entry (which is yet a work-in-progress) may offer something helpful: https://subversion.apache.org/faq.html#plaintext-passwords If the repository access is through svn+ssh, this FAQ might be helpful: https://subversion.apache.org/faq.html#plaintext-passwords Perhaps other users will chime in with ideas. It might be helpful if you can tell us the SVN client version, OS on which you're using it, and the method by which the repository is accessed (http, https, svn, svn+ssh, file, etc). Hope this helps... Nathan
