Re: svnserve-only + ViewCVS HOWTO

From: Keith Smith <keith_at_pharos.co.nz>
Date: 2004-07-21 05:39:14 CEST

Eric Gillespie <epg@pretzelnet.org> writes:
> > * I don't access the repository via SSH, so the configuration
> > required for this access method is not described.
>
> You have no host verification at all, leaving you vulnerable to
> spoofing and man in the middle attacks.

Absolutely. With reference to this and the other security issues that
you raised, what I don't say is that my approach is not fit for serving
SVN over the public Internet. It's more of a quick n' dirty bootstrap
for serving over a nominally 'secure' network. It needs to be locked
down for production use.

> > * Permissions are less restrictive than they could be in some
> > places. In my experience, those that know the difference know
> > how to rectify matters.
>
> In my experience, people follow instructions as blindly as they
> can possibly get away with.

I concur, s/people/most people/. Case in point, yourself as
demonstrated by this email.

> Other than that :), it's a nice document. Document these issues
> and i think you'll have something valuable.

Maybe a little further down the line. As I said, with the current
massive flux of development, I expect that the documented approach will
quickly become out of date.

Thanks for the feedback.

Keith

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 21 05:39:34 2004

This message: [ Message body ]
Next message: Richard J. Moore: "Error when trying to do an update"
Previous message: Eric Gillespie: "Re: svnserve-only + ViewCVS HOWTO"
In reply to: Eric Gillespie: "Re: svnserve-only + ViewCVS HOWTO"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]