Re: Content scanning during checkout/update

From: Ryan Schmidt <subversion-2011a_at_ryandesign.com>
Date: Tue, 19 Jul 2011 18:53:02 -0500

On Jul 19, 2011, at 12:11, Toplak Daniel wrote:

> My approach via the mod_clamav output filter blocks the content be delivered to the client and breaks the checkout/update with a http status 500 and a information in the http status line.

I'm still curious: does this really work? For an "svn update" for example Subversion only transfers the differences between what the user already has in their working copy and what's in the requested revision on the server, plus it's compressed. Will clamav detect malware that is compressed? Will clamav detect malware that is inserted into an existing file the user already had?

More importantly, is this really a big problem for your setup -- malware getting into the repository? It seems like a rather uncommon situation to me. But if you think it is common for your situation, would it be sufficient to scan the HEAD of the repository for malware periodically -- daily or weekly, or whenever malware definitions are updated? Maybe that would be simpler to implement and perform better than scanning on every access.
Received on 2011-07-20 01:53:42 CEST

This message: [ Message body ]
Next message: Ryan Schmidt: "Re: Can I prevent a file from being modified?"
Previous message: Daniel Shahaf: "Re: 1.7 alpha3 bug (assert/exception) during update"
In reply to: Toplak Daniel: "AW: Content scanning during checkout/update"
Next in thread: Mark Phippard: "Re: Content scanning during checkout/update"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]