Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to firstname.lastname@example.org.
Arthur Barrett wrote: > Even if there is a global option (--use-cvspass ?) to allow it? We have a global option.. it's called the login command! If you don't issue it it doesn't store passwords (there is also the corner case of passwords in scripts, which some do rely on) The problem is you break every single UI out there if you change something so fundamental. > The two most 'controversial' ideas I've had of late are disabling > :local: and disabling .cvspass, and they both fall into the same > category - they are fine for people who know what they are doing - but > people who do not come to poor conclusions - eg: that acls don't work > (since :local: is always admin) or that passwords are insecure. How far > do we go to protect people from themselves? :local: is not always admin, but they are always the same as the logged in user (ie. you can't change username). What it does do is bypass repository registration by using absolute paths instead of aliases - fixed in evs (so local behaves exactly like all other protocols now). Passwords are more insecure than no stored passwords, but not totally so. :pserver: sends them in plaintext so that increases the insecurity. I've personally never had issues with people storing ssh passwords locally for example. On Unix we could check/set the permissions of the cvspass file better (should be rw to owner only and enforced as such) but it's no less secure than ssh+certificates given that caveat. The threat model is based on the idea that the client is secure but bad guys can sniff the link. If you define a threat model where the client is compromised we have to design a whole new system of login. cvsagent goes some way to handle it but doesn't really address that scenario directly (but even that needs timeouts to be truly useful - it should ditch the stored password after 5 minutes or so to avoid the 'hacked during lunch break' scenario). > The question is - how much do we inconvenience the experienced people > for the sake of the new users/people who jump to (incorrect) > conclusions? > We need to push people more towards sspi and ssh, and make pserver a last resort option somehow - but I haven't thought of a way that'll do that without creating huge amounts of support requests. It's also possible there's a case to disable support for non-system users. This would eliminate the CVSROOT/passwd file which is a source of some confusion. And make ACLMODE=Normal the default sometime (which IMO is why people get the idea that ACLs don't work, because by default they work in an opposite fashion to system ACLs). Whether this belongs in a stable tree though is debatable. Tony