On Wed, 2005-12-07 at 19:14 +0100, Hadmut Danisch wrote:
> I think so. But as a person who mainly works in the field of security
> for about 15 years, I do not yet see why such transformations should
> directly imply security problems. Of course, poorly implemented
> scripts could, but that's not an argument. If an attacker has access
> to the repository, he could also modify source code and wait until
> someone checks out, compiles, and runs it.
Are you arguing on this basis that the server should be able to tell the
client to run arbitrary code? That's not acceptable. People use
Subversion to version things other than source code, and by running "svn
co" they aren't consenting to give the server full access to their
client machines.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Dec 7 19:24:03 2005