[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Checkout hooks? (summary and script implementation)

From: Ryan Schmidt <subversion-2006Q1_at_ryandesign.com>
Date: 2006-03-28 10:42:09 CEST

On Mar 28, 2006, at 09:35, Adrian Hoe 贺文耀 wrote:

>> So friends, until such new hooks are implemented, I think the only
>> way to get what you want is to serve your repository using Apache
>> and monitor the Subversion access log. Fortunately, since I'm
>> trying to avoid real work at the moment, I wrote you a nifty
>> script which can be used in conjunction with the new Apache access
>> log features in Subversion 1.3.0 to basically create the post-
>> checkout-or-export and post-update hooks out of thin air. The
>> script is written in PHP, because I like it. The server must
>> therefore be running Apache 2.0.x or greater, Subversion 1.3.x or
>> greater, and PHP. (I'm running 5.1.2 but 4.3.x or greater should
>> probably be fine; if not, let me know.) I would like for the
>> script to work on Windows too, but I can't test that; it's tested
>> to work on Mac OS X. Instructions and hook templates are included
>> in the archive.
>> http://www.ryandesign.com/svnhookdispatcher/
> The reason I wish to have a pre/post checkout/update hooks is that,
> people such as project managers and svn administrator can be
> alerted with emails while they are away from their office desks.
> We don't have an Apache setup simply because our security policies
> and we don't want to provide conveniences of source browsing using
> browsers. We sees no reasons to install Apache too because svn+ssh
> is enough to do the job.
> We are able to use the hooks provided to monitor all commits
> (post). The problem is that we are unable to know who checkout
> what. That's a security concern. We would also like to know the ip
> address of the person who checkout the items. We don't know who
> until he/she commits changes.
> I am using 1.2.x and have no plan to migrate to 1.3 at this moment.
> I will certainly migrate immediately if future version has checkout/
> export/update hooks implemented.

So, now you have a reason to install Apache and upgrade to Subversion
1.3: svn+ssh does not provide you with post-checkout-or-export or
post-update hooks; Apache + Subversion 1.3 + my script above does.

I can't speak to your security policies, but if they get in the way
of you doing what you need to do for your business, then you'd best
reexamine those security policies. But I really don't know what kind
of security-related issues you see in an Apache + Subversion server
that are not present in an SSH + Subversion server.

If you don't want people to be able to browse the repository via the
web browser, I'm sure you can do that with a simple Apache directive
like prohibiting all GET requests (since AFAIK real Subversion
clients get all information via PROPFIND and REPORT requests) or by
user agent (allowing only user agents like "SVN/1.3.0 (r17949) neon/
0.25.4" for example). In any case, you're merely taking away a
convenience, not a feature, since a user can still browse the
repository via the command-line client, if perhaps less conveniently.

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 28 10:44:11 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.