[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: using svn:// protocol for sensitive data

From: Jason Winnebeck <jpwasp_at_rit.edu>
Date: 2007-07-09 22:39:28 CEST

Jon Rue wrote:
> I am in the processing of setting up a subversion repository for
> managing sensitive data (budgets, salaries, etc.) for my department's
> administrative staff. They are dispersed all over the university and our
> department doesn't have any central resources to host the data so I am
> using the university's main web server farm to host the repository. I
> was planning on using the svn:// protocol to access the repository since
> it might be next to impossible to get the university admins to alter the
> apache configuration and none of the users have local accounts on the
> servers so svn+ssh:// wouldn't work.
>
> Does anyone think it is a bad idea to use just the svn:// protocol for
> managing access to sensitive data? Anon access will be disabled and I am
> setting up password files and access rules using the authz mechanism.
> Our servers are running version 1.3.2 of subversion. Getting that
> updated to a more recent version might be a tall order as well.

I would presume that any data sent over "svn://" can be sniffed, but sending
only deltas could make it somewhat non-trivial. I would take your security
assessment from that standpoint. The data could be eavesdropped over http and
svn protocols but not https and svn+ssh. Of course, I think when using
standard Windows file shares (SMB), that is not encrypted either, so if your
alternative to SVN is to e-mail or have a shared folder of excel files, then
svn would probably not be less secure.

Jason Winnebeck

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Jul 9 22:39:31 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.