[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Fwd: 1.2 features: svn ls

From: Marcus Rueckert <darix_at_web.de>
Date: 2005-03-09 15:37:28 CET

On 2005-03-09 11:32:41 +0100, Molle Bestefich wrote:
> Marcus Rueckert wrote:
> > or maybe some svn hosting service like wush.net?
> > just because i have my repos there i dont need to know about their other
> > customers.
>
> Again, hiding stuff from particular users or groups is a common part
> of many (most?) filesystem security mechanisms. I believe that if
> wush.net offers svn hosting, they should have a authentication system
> in place, and not rely on the idea that people probably won't be able
> to guess what the other repositories they host are named.

again. if you use apache, as you said you use this, there is no
filesystem security. as all repositories needs to be accessible by the
apache user.

so

if you use SVNParentPath. 1.2 will allow you to index the location. that
is fine for me as it is configurable. but if you just want an index of
available repositories... how about a static file?

see e.g. http://svn.irssi.org/ i doubt you create and drop repositories
so regularly that it would be a mess to keep that list up2date.
another idea would be an php/cgi script which does a readdir() on a
predefined list of all repository directories.

this is not a feature which should go into the svn client.
 
> Besides, if you base your security on the notion that others can't
> guess the name of your repository, you're also kind of lending
> yourself to brute-force guessing, are you not?

right. brute-force, guessnig, social engineering is always possible. but
you dont have to expose yourself that easy.

darix

-- 
irssi - the client of the smart and beautiful people
              http://www.irssi.de/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Mar 9 15:38:39 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.