Andre-John Mas wrote:
> In many ways my questions is more academic at the moment. Having
> just read about how a compromise of a commiter's account allowed
> malicious code to be introduced into a project I feel it could be
> useful to know where the issue came from. I suppose I could
> extend the question to find out whether there is a way to add any
> meta-information with a commit, taking data from an environment
> variable if available.
You're probably talking about SquirrelMail, right? If you read the
details, the *code* repository itself was not poisoned, but rather the
binaries that were being distributed were altered. The original report
that appeared via slashdot was vague on that point.
There is no way currently to inject additional meta-data during a
commit; in fact this is by design. If you were to alter a transaction
during a commit, the data on the server would not be the same as the
data on the client, with predictable problems.
Honestly, client certs is the best way to handle secure access to any
resource, but they are among the hardest authentication/authorization
method to set up correctly. And this is from someone who wrote a
mod_perl app to authenticate and authorize distributed reporting from
several thousand clients via self-signed client/server certs.
John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Dec 20 19:51:50 2007