working copy is web-accessible, .svn/auth/* retrievable

Hi

A Subversion and/or Apache problem:

I've got my homepage stored in Subversion; that is I run:

        svn co http://blah.blah/svn/homepage ~/public_html

For various reasons I don't want to 'make install' my homepage to
~/public_html from somewhere else, and of course I don't want to
remove the .svn's either.

The problem is that I can retrieve .svn/auth/{username,password}
through a web browser so anybody could get me password. (Don't bother
trying now ;-) they're not there.)

I'm can see that this isn't strictly a purely Subversion question,
but I trawled the apache docs looking for how to use .htaccess to
control access to subdirectories of a directory rather than the
directory itself, but no luck.

I'm wondering what my options are.

I could do a 'make install' but this is going to be a real pain for
developing new pages.

I could run a 'find . -name .svn | xargs chmod', but this is too much
like an install-time step that I might forget.

I could put a <Document> entry in httpd.conf to limit access to this,
but I'd much prefer to do it not site-wide, but specifically encode
the solution close to the problem.

I could do 'store-password = no', but then I'll be asked for a password
when I commit.

Feel free to tell me that I *have* to use one of the above solutions,
but, ...

... the perfect solution for me would be to say in the top-level .htaccess
file "Deny access to all .svn directories anywhere under here"; the
file would then be part of the archived hierarchy, and not something
possible to forget, and has no associated install-time steps,
but I don't think that is possible. (I tried <Directory> in .htaccess
and it complained.)

Can anybody suggest any other options? Thanks!

Alexis

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jan 7 17:17:07 2003