On Apr 25, 2005, at 10:27 AM, Joseph Galbraith wrote:
> I don't think it is hard to argue that svnserve has a _lot_
> smaller attack surface than apache.
On the other hand, you can also argue that it's extremely time-tested
and well-known, and thus had years to "harden" its security. It's easy
to find experts in apache security. Something like svnserve, while
having a smaller attack surface, is also relatively new, and thus
represents some sort of "unknown level of security" risk.
> Apache definitely increases
> the initial install investment (more IT time to get it up
> and running) and the maintance investment (more complex
> configuration to keep up to date; more components that
> need updating.)
Definitely true, but it's not without reward. It gives you access to
bunches of authentication and authorization systems, goes through
firewalls, can benefit from network caches, can interoperate with DAV
clients, and opens a world of CGI repository-browsing software.
Still, it might be too much for some, which is why svnserve is great:
small and simple. We still plan to add more authentication mechanisms
to svnserve, as well as improve its authorization abilities... but
we've been slow to do that, since it essentially means reinventing all
these features that apache has had for years.
We're off-topic now, we now return you to your regularly scheduled
thread. :-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 25 17:59:38 2005