[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Encrypting selected files ...

From: Pat Farrell <pfarrell_at_pfarrell.com>
Date: Fri, 02 Oct 2009 12:08:18 -0400

Les Mikesell wrote:
>> Its simple. put those things in a properties file or equivalent and do
>> not use SVN for them.
>
> That's correct in theory, but I'd bet that most places that keep any
> production code/configurations in subversion have this issue.

All places that use this approach have no security.

This is a fundamental issue, don't do that.

> There are just too many places where you can't separate them.

If you care, at all, about security, you must separate them.

I will agree that too many places put these in SVN, or equivalent, but
that does not make it acceptable. Its simply poor operational design.

Most theft and fraud are inside jobs. You can not allow simple access to
the source code to allow access to production.

This does not prevent the operations folks from having their own SVN
inside their security perimeter. But its simply wrong to put production
passwords in the general engineering SVN.

-- 
Pat Farrell
http://www.pfarrell.com/
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2402982
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-10-02 18:09:21 CEST

This is an archived mail posted to the Subversion Users mailing list.