[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Is subversion SOX (sarbanes-oxley) compliant?

From: David Weintraub <qazwart_at_gmail.com>
Date: 2005-09-08 18:04:41 CEST

I went through almost all of those issues, and they seem to be either a
product that can integrate with Subversion (like Fedora) or a vurnerability
that has already been fixed in Subversion.

It also appears that Apache may be more secure than svnserve since the
exploits that were in Subverison itself were from svnserve and not Apache.

It appears, like in most OpenSource software, when a vunerability is found,
it is quickly patched. None of these vunerabilities affect Subversion
1.12or higher. Subversion should be fairly secure. Is it bullet proof?
not, but when a vunerability is found, if history is any guide, it will be
quickly patched.

You might want to run Apache instead of svnserve if you feel that will make
your archives more secure. Maybe using https instead of plain http. Even ssh
w/ svnserve should be pretty secure.

As others pointed oux, SOX compliance has to do with processes, but it looks
like those processes can be built around Subversion.

On 9/7/05, Joshua.White@hartfordlife.com <Joshua.White@hartfordlife.com>
> All,
> I am trying to put together a case to use subversion instead of PVCS at my
> company (If you could point me to any resources on this, I would appreciate
> it!) I have been receiving a lot of push back about subversion having
> security vulnerabilities. See the following:
> http://secunia.com/ (http://secunia.com/search/?search=SVN)
> or
> http://www.cve.mitre.org/ (
> http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SVN)
> As you can expect, managers want our SCM to be SOX compliant. PVCS claims
> to be SOX compliant. Is subversion SOX compliant?
> Regards,
> Joshua
> *************************************************************************
> PRIVILEGED AND CONFIDENTIAL: This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information. If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited. If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org For
> additional commands, e-mail: users-help@subversion.tigris.org

David Weintraub
Received on Thu Sep 8 18:07:36 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.