[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Encrypting selected files ...

From: Les Mikesell <lesmikesell_at_gmail.com>
Date: Fri, 02 Oct 2009 12:14:59 -0500

Pat Farrell wrote:
> Les Mikesell wrote:
>>> Its simple. put those things in a properties file or equivalent and do
>>> not use SVN for them.
>> That's correct in theory, but I'd bet that most places that keep any
>> production code/configurations in subversion have this issue.
>
> All places that use this approach have no security.
>
> This is a fundamental issue, don't do that.
>
>> There are just too many places where you can't separate them.
>
> If you care, at all, about security, you must separate them.

But if you care about version control, you must include the parts of
code/configuration involved in your repository.

> I will agree that too many places put these in SVN, or equivalent, but
> that does not make it acceptable. Its simply poor operational design.

They are often need to be included in a file of code or configuration
that is someone else's design. Bad design or not, pretty much every
front-end service that needs access to a backend database has a
configuration file that you need to maintain that has the credentials
embedded.

> Most theft and fraud are inside jobs. You can not allow simple access to
> the source code to allow access to production.

Nor is it a good idea to put things into production that aren't under
version control.

> This does not prevent the operations folks from having their own SVN
> inside their security perimeter. But its simply wrong to put production
> passwords in the general engineering SVN.

So how do you roll out code/configurations to a bunch of machines with
the ability to roll back without storing it somewhere that the people
who develop/test it can access?

-- 
    Les Mikesell
     lesmikesell_at_gmail.com
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2403003
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-10-02 19:16:05 CEST

This is an archived mail posted to the Subversion Users mailing list.