On Mon, 12 Feb 2007, John Peacock wrote:
> Blair Zajac wrote:
> > With mod_dav_svn, I guess we can get the client version string and use
> > that? Would the easy way be to reject commits at the Apache level and
> > parse the client's name?
> >
> > But what about file:/// or svn:// access?
>
> file:/// access is, pretty much by default, not something that you
> would want to allow any sort of public access. svn:// is only
> slightly better, from a security standpoint. I don't think it is
> *too* much of a loss if we only provided a way to block back-rev'd
> client access under Apache.
Please don't conflate svn:// with svn+tunnel://. They have very
different security properties. As a user who strongly prefers
svn+ssh:// access (partly for ease of setup on the server side, and
partly because of the good security properties) , I find this idea of
treating non-apache access as a second class citizen very disconcerting.
--apb (Alan Barrett)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Feb 13 13:17:13 2007