[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: merge tracking: rejecting commits from svn clients < 1.5

From: Alan Barrett <apb_at_cequrux.com>
Date: 2007-02-13 13:12:24 CET

On Mon, 12 Feb 2007, John Peacock wrote:
> Blair Zajac wrote:
> > With mod_dav_svn, I guess we can get the client version string and use
> > that? Would the easy way be to reject commits at the Apache level and
> > parse the client's name?
> >
> > But what about file:/// or svn:// access?
>
> file:/// access is, pretty much by default, not something that you
> would want to allow any sort of public access. svn:// is only
> slightly better, from a security standpoint. I don't think it is
> *too* much of a loss if we only provided a way to block back-rev'd
> client access under Apache.

Please don't conflate svn:// with svn+tunnel://. They have very
different security properties. As a user who strongly prefers
svn+ssh:// access (partly for ease of setup on the server side, and
partly because of the good security properties) , I find this idea of
treating non-apache access as a second class citizen very disconcerting.

--apb (Alan Barrett)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Feb 13 13:17:13 2007

This is an archived mail posted to the Subversion Dev mailing list.