[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: bad access methods (was: 100% repeatable repo wedging)

From: <terry_at_eatoni.com>
Date: 2004-03-04 22:09:26 CET

>>>>> "Brian" == Brian Mathis <bmathis@directedge.com> writes:

Brian> This brings me to the question of why are you using svn+ssh?
Brian> Out of the 4 access methods you have to choose from, you've
Brian> chosen (IMO), the 3rd most desirable one. They are, in order
Brian> of desireability:

Brian> 1. http
Brian> 2. svnserve daemon
Brian> 3. svn+ssh
Brian> 4. file

Brian> I can understand people who don't want to go through
Brian> installing/reinstalling apache. Instead of that, you should
Brian> use svnserve as a daemon. It ensures that every access is done
Brian> on the repo using the same user and group. The only time
Brian> svn+ssh and file should be used is if the repo is for a single
Brian> user project.

One reason (this is the reason I am using svn+ssh) is to minimize the
number of processes I have listening to ports on the internet at
large. This reduces risk and also means there's one less thing to
monitor bugtraq for for the latest buffer overflow.

For that reason (and because I get to a repository from outside a
company intranet) I'd rather use ssh and port forwarding to get to the
machine with the repository than just have it sitting naked on the
net. Yes, I could add more firewall rules to ensure that only known
IP ranges can connect to the svn port. I may do that in the future but
right now it's a hassle. Using svn+ssh there's literally nothing to
do and my network's security is no less than it was before.

In the case of source code control, I think people will (or at least
should) tend to be _very_ careful about what they expose to the net.
If I couldn't ssh tunnel one way or another to svnserve, I wouldn't
even consider using it at this point. The major advantage of using
httpd (from my POV) is finer control over read/write access. It
happens that I don't need that, so
building/installing/maintaining/monitoring another httpd plus SSL is
much more of a pain than simply typing svn+ssh at the start of a URL.

Anyway, that's my reason. I am very interested to hear other opinions
one way or another. That section was the very first thing I went to
in the book.

Terry

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Mar 4 22:08:20 2004

This is an archived mail posted to the Subversion Users mailing list.