[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion security needs to improve.

From: <kfogel_at_collab.net>
Date: 2004-10-22 15:15:10 CEST

"Alex Holst" <a@mongers.org> writes:
> > Yes, that would be nice, yet no one has volunteered to do it, because
> > they find other things to be higher priority.
>
> This conflicts with the essence of a point Ben Reser made, doesn't it?
> He spends time looking for security problems and goes so far as to say
> the effort made toward avoiding corruption bugs also go towards avoiding
> security problems.

No, not at all.

I was talking about security audits. Ben Reser was talking about
reviewing code commits with (among other things), security in mind.
Many people review commits -- you can too, if you want. I review
every single C code commit, and security implications are one of the
things I'm looking at.

Commit-by-commit review is not the same thing as a security audit.

> I'll try to be more specific. As mentioned on IRC, in my experience
> people seem to be more willing to follow along with an idea if they can
> see the overall point, instead of suddenly implementing a security
> counter-measure for no real reason. svn seems to be the exception to
> this rule :)

Huh?

This doesn't really make sense. Anyone, on being given a specific
recommendation for how to avoid certain kinds of security bugs, would
be happy to follow the recommendation, assuming its not too onerous.
The "overall point" of doing so would be obvious. Who would look at a
"security counter-measure" and think it's done "for no real reason"?

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Oct 22 17:06:40 2004

This is an archived mail posted to the Subversion Dev mailing list.