On Mon, Jan 3, 2011 at 3:56 PM, Nick <nos...@codesniffer.com> wrote: > On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote: >> > Apologies in advance if this is covered somewhere, but can someone >> > explain (or point me to some references on) why using SVN w/ Apache >> > (HTTPS) is insecure? I've seen some references to plain text >> password >> > storage, but I don't see my password on my server. The passwords in >> my >> > svnusers files look like hashes, which makes sense because I use the >> > "-m" option to htpasswd2 when creating them. What am I missing? >> >> Yes, it is secure. Nico's issue is that the SVN client will allow the >> user to cache their password in plaintext locally in their home >> folder. This is only true for *nix clients though. Windows and OSX >> clients store the password securely. > > I see, thanks. So by "SVN client", are you referring to the command > line client that's provided by SVN? > May I ask why the *nix client stores the credentials in plain text? > Again, I'm open to references which explain it if this has already been > covered.
This is a very large and longstanding issue for me and others, and has led to clients of mine rejecting Subversion outright. And it looks like a legacy of Subversion's re-implementation of CVS, described as "CVS done right". CVS security was even worse.
