[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Fwd: 1.2 features: svn ls

From: Molle Bestefich <molle.bestefich_at_gmail.com>
Date: 2005-03-09 16:04:06 CET

Marcus Rueckert wrote:
> Molle Bestefich wrote:
>> Marcus Rueckert wrote:
>>> or maybe some svn hosting service like wush.net?
>>> just because i have my repos there i dont need to know about their other
>>> customers.
>>
>> Again, hiding stuff from particular users or groups is a common part
>> of many (most?) filesystem security mechanisms. I believe that if
>> wush.net offers svn hosting, they should have a authentication system
>> in place, and not rely on the idea that people probably won't be able
>> to guess what the other repositories they host are named.
>
> again. if you use apache, as you said you use this, there is no
> filesystem security. as all repositories needs to be accessible by the
> apache user.

Well, then, that pretty much kills the idea of anyone offering SVN
hosting at all, doesn't it.

It's hard to believe that this is impossible with SVN, but if you say so..

> but if you just want an index of available repositories...
> how about a static file?

That's not a solution. It would require me to update the text file by
hand and it would require the Subversion users to ask me wherever it
is that this text file is located that lists the available
repositories (or not, depending on whether I've kept it up to date or
if anyone's created a repo that I didn't notice).

It would in most cases make it even more complex than the process
involving someone asking for a particular URL for a repository they
need.

> i doubt you create and drop repositories
> so regularly that it would be a mess to keep that list up2date.

That's off the topic, since it implies that you pull out another
client (the web browser or a network filesystem) to accomplish the
task.

> this is not a feature which should go into the svn client.

It most definitely is!
I personally regard this as *the* big-black-missing-feature-hole in
Subversion 1.1.3! :-)

>> Besides, if you base your security on the notion that others can't
>> guess the name of your repository, you're also kind of lending
>> yourself to brute-force guessing, are you not?
>
> right. brute-force, guessnig, social engineering is always possible.
> but you dont have to expose yourself that easy.

I don't think I understand your point..
"Hacking something can always be done, so let's not implement even the
simplest of security (based on the authentication system we already
have in place)", or?..

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Mar 9 16:05:20 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.