[svnbook commit] r1476 - in trunk/src/en: . book

Wed Jun 22 10:41:14 CDT 2005

Author: sussman
Date: Wed Jun 22 10:41:12 2005
New Revision: 1476

Modified:
   trunk/src/en/TODO
   trunk/src/en/book/ch06.xml
Log:

* src/en/book/ch06.xml 
  (Client Credentials Caching):  mention that cached passwords are
                                 stored encrypted on Windows.
  (Per-Directory Access Control):  mod_authz_svn groups can contain groups.

* src/en/TODO:  remove line items.





Modified: trunk/src/en/TODO
==============================================================================

--- trunk/src/en/TODO	(original)
+++ trunk/src/en/TODO	Wed Jun 22 10:41:12 2005
@@ -7,9 +7,6 @@
   * ch05: comparison of bdb and fsfs:  make it clear that fsfs is now
     the default, need --fs-type bdb to get bdb.  [MIKE]
 
-  * ch06: client-cred-caching: mention win32 encryption in
-    mod_authz_svn: groups can contain other groups [BEN]
-
   * ch07:  Fixed length keywords  [MIKE]
     The format of fixed length keyword and its data is
       - Unexpanded keyword:         "$keyword::       $"

Modified: trunk/src/en/book/ch06.xml
==============================================================================
--- trunk/src/en/book/ch06.xml	(original)
+++ trunk/src/en/book/ch06.xml	Wed Jun 22 10:41:12 2005
@@ -229,14 +229,43 @@
         authenticate, then the client simply prompts the user for the
         information.</para>
 
-      <para>The security-paranoid people may be thinking to
-        themselves, <quote>Caching passwords on disk?  That's
-        terrible!  You should never do that!</quote>  But please remain
-        calm.  First, the <filename>auth/</filename> caching area is
-        permission-protected so that only the user (owner) can read
-        data from it, not the world at large.  If that's still not
-        safe enough for you, you can disable credential caching.  To
-        disable caching for a single command, pass the
+      <para>Security-conscious people may be thinking to themselves,
+        <quote>Caching passwords on disk?  That's terrible!  You
+        should never do that!</quote> Please remain calm, it's not as
+        dangerous as it sounds.</para>
+
+      <itemizedlist>
+
+        <listitem>
+          <para>The <filename>auth/</filename> caching area is
+            permission-protected so that only the user (owner) can
+            read data from it, not the world at large.  The operating
+            system's own file permissions are protecting the
+            password.</para>
+        </listitem>
+
+        <listitem>
+          <para>On Windows 2000 and later, the Subversion client uses
+            standard Windows cryptography services to encrypt the
+            password on disk.  Because the encryption key is managed
+            by Windows and is tied to the user's own login
+            credentials, only the user can decrypt the cached
+            password.  (Note: if the the user's Windows account
+            password is changed, all of the cached passwords become
+            undecipherable.  The Subversion client will behave as if
+            they don't exist, prompting for passwords when
+            required.)</para>
+        </listitem>
+
+        <listitem>
+          <para>For the truly paranoid willing to sacrifice all
+            convenience, it's possible to disable credential caching
+            altogether.</para>
+        </listitem>
+
+      </itemizedlist>
+
+      <para>To disable caching for a single command, pass the
         <option>--no-auth-cache</option> option:</para>
 
 <screen>
@@ -1903,6 +1932,16 @@
 jane = r 
 </screen>
 
+        <para>Groups can also be defined to contain other
+          groups:</para>
+
+        <screen>
+[groups]
+calc-developers = harry, sally, joe
+paint-developers = frank, sally, jane
+everyone = @calc-developers, @paint-developers
+</screen>
+
         <para>...and that's pretty much all there is to it.</para>
 
       </sect3>

