[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion security design

From: Ben Collins-Sussman <sussman_at_newton.collab.net>
Date: 2000-06-23 19:46:02 CEST

"Brent J. Nordquist" <bjn@visi.com> writes:

> - Authentication (PAM hopefully?)
> - Security of the client-server protocol (encryption?)
> - Security of the server ("best practices", e.g., not requiring root)

One of Subversion's goals is to write an extremely modular system;
we're trying to create well-defined interfaces so people can extend
the system at any number of levels.

This is the reason the design document's mention of security may seem
vague to you: we're deliberately *not* discussing any particular
authentication or authorization mechanism. Authentication and
encryption? Those issues are the network layer's business; after
authenticating (possibly over a secure channel), it simply needs to
pass the server library a filled-in `svn_user_t' structure.
Authorization? That's a server-side plugin. Folks can implement any
ACL system they wish, provided they conform to our interface.

For the initial release of Subversion, you won't find anything
super-fancy; it will be something that works well for most people.
The `network layer' will be Apache, which is a good choice simply
because it *already* has numerous means of using secure protocols,
authenticating users, and has already been subjected to "best security
practices" exams. (And it's quite extensible, too.)

The point is: release something that works, but is designed to be
easily hackable. Outside folks can then come along and implement
{ssh, ssl, kerberos, pam, SQL, <insert security buzzword here>, ...}
as new features at different levels. :)
Received on Sat Oct 21 14:36:05 2006

This is an archived mail posted to the Subversion Dev mailing list.