[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r40009 - branches/1.6.x

From: Mark Phippard <markphip_at_gmail.com>
Date: Wed, 14 Oct 2009 12:56:53 -0400

On Wed, Oct 14, 2009 at 12:48 PM, Greg Stein <gstein_at_gmail.com> wrote:
> On Wed, Oct 14, 2009 at 09:32, Mark Phippard <markphip_at_gmail.com> wrote:
>> Some would also call it a security fix.
>
> Anybody that calls this a "security fix" needs to permanently removed
> from handling the security of their server.

There are plenty of users that have to pass security audits that
considers any server application that advertises its version as at
least violating a best practice. In this case, the US Government is
asking for this as part of deploying Subversion on government servers.

I have no interest in debating the merits of this. Apache httpd
obviously considered it valid when they added a directive to turn this
off. If a server admin is using this directive, it seems reasonable
for Subversion to not overtly advertise its version number.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407644
Received on 2009-10-14 18:57:07 CEST

This is an archived mail posted to the Subversion Dev mailing list.