s...@apache.org wrote on Tue, Jul 26, 2011 at 12:11:06 -0000: > Author: stsp > Date: Tue Jul 26 12:11:05 2011 > New Revision: 1151069 > > URL: http://svn.apache.org/viewvc?rev=1151069&view=rev > Log: > * subversion/libsvn_subr/gpg_agent.c: Add a comment that explains how this > auth cache provider operates, including security considerations. > > Modified: > subversion/trunk/subversion/libsvn_subr/gpg_agent.c > > Modified: subversion/trunk/subversion/libsvn_subr/gpg_agent.c > URL: > http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/gpg_agent.c?rev=1151069&r1=1151068&r2=1151069&view=diff > ============================================================================== > --- subversion/trunk/subversion/libsvn_subr/gpg_agent.c (original) > +++ subversion/trunk/subversion/libsvn_subr/gpg_agent.c Tue Jul 26 12:11:05 > 2011 > @@ -23,6 +23,36 @@ > > /* ==================================================================== */ > > +[four paragraphs of documentation comment]
Looks good :) > + * Therefore, while the gpg-agent is running and has the password cached, > + * this provider is no more secure than a file storing the password in > + * plaintext. Should the gpg-agent provider implement a "plaintext prompt" password that explains this and asks the user's permission to do so?
