On Mon, Jan 3, 2011 at 11:09 AM, Nick <nos...@codesniffer.com> wrote: > On Sun, 2011-01-02 at 22:43 -0500, Nico Kadel-Garcia wrote: > >> It's possible to do secure Subversion. Use svn+ssh access, disable or >> block other services at the firewall, and keep it away from HTTP/HTTPS >> in order to prevent UNIx or Linux client plaintext password storage. > > Apologies in advance if this is covered somewhere, but can someone > explain (or point me to some references on) why using SVN w/ Apache > (HTTPS) is insecure? I've seen some references to plain text password > storage, but I don't see my password on my server. The passwords in my > svnusers files look like hashes, which makes sense because I use the > "-m" option to htpasswd2 when creating them. What am I missing?
Yes, it is secure. Nico's issue is that the SVN client will allow the user to cache their password in plaintext locally in their home folder. This is only true for *nix clients though. Windows and OSX clients store the password securely. -- Thanks Mark Phippard http://markphip.blogspot.com/
