[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Integrity checking for FSFS repositories.. tripwire, etc.?

From: Jonathan Abbey <jonabbey_at_arlut.utexas.edu>
Date: 2005-04-06 22:25:39 CEST

On Tue, Apr 05, 2005 at 01:11:10PM -0700, Tom Mornini wrote:
| On Apr 5, 2005, at 8:15 AM, Jonathan Abbey wrote:
| >I'm pretty confident that we're not going to lose anything, but my
| >boss is concerned that someone could penetrate the server and modify
| >our source code without our noticing, and I don't know how hard or
| >easy that would be to do.
| I'm pretty sure that Subversion would immediately notice a checksum
| mismatch in this situation.
| Which assumes, of course, that the modifier doesn't update the
| checksum...

Right. If an attacker was sufficiently l33t, he could do anything he
liked on the system. I imagine you could reasonably guarantee
integrity by having the SVN client digitally sign commits using a
PGP-like mechanism, with periodic verification of the repository that
checks those signatures.

Another possibility would be to allow a public-facing Subversion
server that can take check-ins, but force checkins to get from there
to the internal master repository by going through a post-commit hook
that sends the commit through e-mail, both to a script that processes
the commits from the external server and to a list of users who
oversee the checkins.

That way, it'd be impossible to get a checkin to the internal server
without either penetrating beyond the DMZ into the internal server or
having the rogue checkin at least potentially be seen by humans
watching the commit mail.

Of course, care would need to be taken in the implementation to make
sure that it wasn't possible to send mail to the internal server for
incorporation while bypassing the notification list.

I wonder how Collabnet handles these sorts of integrity validation


| - --
| - -- Tom Mornini

Jonathan Abbey 				              jonabbey@arlut.utexas.edu
Applied Research Laboratories                 The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg

  • application/pgp-signature attachment: stored
Received on Thu Apr 7 00:01:04 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.