[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Changeset Signing

From: Branko ─îibej <brane_at_wandisco.com>
Date: Mon, 08 Jun 2015 10:11:20 +0200

On 08.06.2015 04:19, Ruchir Arya wrote:
> Hello everybody,
> I am new to SVN development. I have a question. Why is there no
> implementation of changeset signing in subversion? Suppose if the
> root/admin (who maintains repository) is not trustworthy,

If your server administrator is not trustworthy, then no amount of
signing is going to help. Anyone with direct access to the repository
storage (which a server admin will have) can modify revision contents
even if they're signed; no cryptographic signature is proof against attack.

> then there is a problem. Is there any future possibility to implement
> digital signing of changeset to achieve integrity and non repudiation?
> My focus is to implement some of the security related features in svn.

Subversion's repository backend already goes a good way towards ensuring
integrity: the client provides cryptographic hashes of all committed
data and the server checks them before committing, and the reverse
happens during checkout/update. The server also stores hashes for
certain metadata (although not all; there's room for improvement here).

Non-repudiation is a lot harder to achieve because it's not enough to
control the server, you also have to prove that every client making
commits is free from malicious software that could be inserting
backdoors at the source of the commit.

-- Brane
Received on 2015-06-08 10:11:28 CEST

This is an archived mail posted to the Subversion Dev mailing list.