Stefan Sperling wrote on Tue, Jul 26, 2011 at 22:26:14 +0200: > On Tue, Jul 26, 2011 at 08:28:40PM +0300, Daniel Shahaf wrote: > > Stefan Sperling wrote on Tue, Jul 26, 2011 at 15:33:34 +0200: > > > The key difference between the plaintext password store and the > > > gpg-agent store is that the user must already have a running gpg-agent. > > > The plaintext password store is always used and is not guarded by > > > any such precondition. > > > > > > > The prompt function can check that the environment variable is defined. > > (not connect; just getenv() != NULL) > > > > > I think that if someone is already running gpg-agent, they are probably > > > storing their PGP passphrase in it, which IMO is a secret of much higher > > > value than a Subversion password. > > > > > > > _If_ the PGP passphrase is stored there too, then of course it's more > > valuable. I'm not sure how likely that is, though --- ie, people who > > use svn but not gpg, and people who use svn and instruct gpg not to use > > the agent (does gpg use the agent by default?), wouldn't have any 'more > > sensitive' secrets in the agent. > > Users can always hit "Cancel" in the gpg agent prompt to get out of it. > They don't have to enter a password at all if they aren't comfortable > doing so.
Fair enough.
