bzr-svn not caching credentials

Jelmer Vernooij jelmer at samba.org
Tue Jan 25 20:14:26 UTC 2011


On Tue, 2011-01-25 at 14:57 -0500, Gordon Tyler wrote:
> On Tue, January 25, 2011 2:19 pm, Jelmer Vernooij wrote:
> > On Tue, 2011-01-25 at 14:03 -0500, Gordon Tyler wrote:
> >> If bzr-can read the saved auth info, why can't it update it as well?
> > It seems wrong for Bazaar to be writing to ~/.subversion. Also,
> > passwords are stored plain-text in ~/.subversion, which is a security
> > concern. As a Bazaar user I wouldn't want Bazaar to write my passwords
> > in plain text *anywhere* on disk automatically.
> 
> Passwords are not stored in plain-text on Windows. The only file in my
> Subversion auth cache dir contains an encrypted form of my password.
> According to
> http://help.collab.net/index.jsp?topic=/faq/cachepassword.html, it uses
> Windows encryption facilities. It can also use the Mac OS X Keychain
> facility. On Linux/Unix, you can configure in your subversion config which
> password store to use, e.g. gnome-keyring or kwallet. This seems to be a
> svn 1.6 feature.
bzr-svn deliberately doesn't talk to gnome-keyring or kwallet through
libsvn. Bazaar already has integration with gnome-keyring and kwallet
and the concern is that we try the same credentials more than once.

> See
> http://blogs.open.collab.net/svn/2009/07/subversion-16-security-improvements.html
> for more info.
> 
> Basically, as far as I'm concerned, bzr-svn should be behaving like a
> normal svn client in this regard.
I think bzr-svn should be acting as a normal /bzr/ client. It would be
very confusing if accessing two repositories over http using bzr had
different behaviour in terms of password caching. 

> > Personally, I would prefer for Bazaar to support e.g. gnome-keyring to
> > handle caching of credentials.
> I don't think Windows has anything like that, does it?
Then we should look at alternatives. I think Bazaar should behave
consistently when caching credentials - independent of what the format
is of the repository at the other end. Accessing two different
repositories over http:// should not result in the password being cached
in ~/.subversion in one case and not being cached in the other.

Cheers,

Jelmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/bazaar/attachments/20110125/ada51e18/attachment-0001.pgp>


More information about the bazaar mailing list