[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Running svnsync from post-commit hook

From: Joshua Oreman <oremanj_at_gmail.com>
Date: 2007-08-27 19:01:51 CEST

On 27 Aug 2007 17:52:28 +0100, Marc Girod <mgirod@iona.com> wrote:
> Hello Joshua,
>
> Thanks for your suggestion...
> [ . . . ]
> There's the trust level issue--no, indeed, I cannot give such an
> access to everybody, and it doesn't only depend on me-- but I thought
> even more of the manageability issue: there are many committers, over
> different continents, with whom synchronization is not easy.

Sorry if I wasn't clear on that - I meant you need to give them access
from their account on the svn server to the replication machine.

> Now, your setup suggestion may alleviate that...
>
> > If you do trust them with that, the easiest way is probably to make
> > a wholly new keypair, and store it in the repository somewhere:
>
> > $ ssh-keygen -t rsa -f /your/repository/conf/id_rsa.mirror
> > Add /your/repository/conf/id_rsa.mirror.pub to
> > stengers:/home/vobadm/.ssh/authorized_keys, and add the following to
> > each committer's ~/.subversion/config:
> >
> > [tunnels]
> > sync = ssh -i /your/repository/conf/id_rsa.mirror
> >
> > Then use 'svn+sync://vobadm@stengers' instead of 'svn+ssh://vobadm@stengers'.
>
> Very interesting.

Just thought of something you could use to make this more secure, too:
add a command= field to the line in authorized_keys, so the user can
only run svnserve -t. There's documentation about how to do that in
the svn book.

> > But a better solution might be to switch to using svnserve or Apache.
>
> Sorry?
> We are supporting http as well as ssh, with an apache server.
>
> How can this help us?
> Idem, I didn't consider svnserve... Not mentioned in the page about
> replication either.

There are four access methods to a Subversion repository. file://
won't work for your case, because the developers aren't all on the
same machine. svn+ssh:// (tunneled svnserve) is what you're using
now. It's also possible to set up subversion to go through http:// or
https:// (which involves configuring Apache appropriately) or to use
the custom svn:// protocol, which involves running an svnserve process
as daemon on your repository server. Documentation about the
specifics of all of these is in the svn book.

Since you already have significant infrastructure set up, an access
method switch might not be the best idea - each user would have to run
svn switch --relocate whatever://repo.server/new/path in all their
working copies.

-- Josh

>
> Still puzzled...
> Marc
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Aug 27 18:59:21 2007

This is an archived mail posted to the Subversion Users mailing list.