[MERGE][1.2][#185394] Disconnect and reconnect the smart medium after getting "unknown method" error from server if a request body was sent.

Robert Collins robertc at robertcollins.net
Mon Feb 11 05:06:27 GMT 2008


On Thu, 2008-02-07 at 17:45 +0100, Vincent Ladeuil wrote:
> 
> What the connection sharing mechanism do is saving the necessary
> credentials once the first connection to a server succeeds, so
> any subsequent connection may reuse the same credentials
> without asking anything to the user.

This is generally a bad idea; passwords are not things to hold in memory
that is not locked, as they can get paged out to the swap file and
exposed.

The auth-ring file, assuming permissions are set correctly on it is
tolerable (but we should really read it and clear the memory afterwards
for security).

For HTTP basic auth we don't have really have a choice, but for digest
you can establish the session and then forget the plain text password.
For ssh we should use an ssh agent *ourselves* in the event that we're
not using openssh.

-Rob




-- 
GPG key available at: <http://www.robertcollins.net/keys.txt>.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20080211/b43576e3/attachment.pgp 


More information about the bazaar mailing list