[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve-only + ViewCVS HOWTO

From: Keith Smith <keith_at_pharos.co.nz>
Date: 2004-07-21 05:39:14 CEST

Eric Gillespie <epg@pretzelnet.org> writes:
> > * I don't access the repository via SSH, so the configuration
> > required for this access method is not described.
>
> You have no host verification at all, leaving you vulnerable to
> spoofing and man in the middle attacks.

Absolutely. With reference to this and the other security issues that
you raised, what I don't say is that my approach is not fit for serving
SVN over the public Internet. It's more of a quick n' dirty bootstrap
for serving over a nominally 'secure' network. It needs to be locked
down for production use.

> > * Permissions are less restrictive than they could be in some
> > places. In my experience, those that know the difference know
> > how to rectify matters.
>
> In my experience, people follow instructions as blindly as they
> can possibly get away with.

I concur, s/people/most people/. Case in point, yourself as
demonstrated by this email.

> Other than that :), it's a nice document. Document these issues
> and i think you'll have something valuable.

Maybe a little further down the line. As I said, with the current
massive flux of development, I expect that the documented approach will
quickly become out of date.

Thanks for the feedback.

Keith

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 21 05:39:34 2004

This is an archived mail posted to the Subversion Users mailing list.