[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Encrypted Repositories. . .?

From: Johnathan Gifford <jgifford_at_wernervas.com>
Date: 2007-06-21 00:02:18 CEST

>
> I won't bother you with the social- engineering attacks, you probably
have
> them all figured out anyway. I'm just wondering if there's a
simpler,
> stronger solution than trying to roll a "secured SVN".
>

Along these same lines, I have to ask why are you putting your
Subversion repository on a server that is not physically located at the
location where you do development and/or the company you work for can
physically and personally control the security of it?

It would be wiser to have that remote/hosting server use a working copy
of the repository rather than THE repository. Then the remote/hosting
server could connect over the network via https or ssh+svn to your local
network to get updates. You've said yourself, you're trying to keep
someone from stealing the entire repository or destroying it. If they
only get a snapshot of what your repository looked like at a point in
time, did the thieves gain anything and did you loose anything? After
all, in another thread you said that you just don't want to create
everything from scratch again. Which begs the question, what is your
backup methodology for your Subversion repository?

And since you only have a working copy on the remote/hosting server, do
as the others have suggested, encrypt the drive using the OS (Windows
NTFS, Apple's HPFS, etc). If the thieves only steal the drive... they
have to be really good at cracking encryption, other wise it is
worthless. And more importantly, you can be back up and in business in
a short time because all you have to do is checkout a new working copy.

Remember, make the working copy's account have only read permissions.
And if the server or drive gets stolen, delete the account.

By moving your repository to your physical location in which you or
your company can control the security of it and using the Subversion
client for accessing the latest revisions, you've solved most of your
issues. Personally, I think your being to paranoid about this. So
unless your working for a Fortune 500, financial institution or a
government agency, ask yourself, is your code really worth that much to
'Jimmy the script kiddie'? Is your code worth anything to your
competitors if there are any?

Final rhetorical question, who is more worthy of protecting your
assets? The hosting firm or the company your working for (if not you)?

Johnathan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jun 21 00:02:49 2007

This is an archived mail posted to the Subversion Users mailing list.