svnadmin create .\repository
svnserve -r .
and a repository is created and served via svnserve. With the
above
defaults, a third step is required, which can get tedious. I'd
propose
enabling svnserve by default, and it can then be disabled if
required. This
also maintains the ease
On 1/4/2011 8:25 PM, Nico Kadel-Garcia wrote:
This is a very large and longstanding issue for me and others, and has
led to clients of mine rejecting Subversion outright. And it looks
like a legacy of Subversion's re-implementation of CVS, described as
CVS done right. CVS security was even
On Fri, Jan 7, 2011 at 11:43 AM, Les Mikesell lesmikes...@gmail.com wrote:
On 1/4/2011 8:25 PM, Nico Kadel-Garcia wrote:
This is a very large and longstanding issue for me and others, and has
led to clients of mine rejecting Subversion outright. And it looks
like a legacy of Subversion's
On Thu, Jan 6, 2011 at 1:29 AM, Nico Kadel-Garcia nka...@gmail.com wrote:
On Wed, Jan 5, 2011 at 2:19 PM, Les Mikesell lesmikes...@gmail.com wrote:
Of course you _can_ secure it. My point is that permitting ssh and
restricting access to ssh by itself is very likely to make your system less
On Tue, Jan 04, 2011 at 09:25:11PM -0500, Nico Kadel-Garcia wrote:
This is a very large and longstanding issue for me and others, and has
led to clients of mine rejecting Subversion outright. And it looks
like a legacy of Subversion's re-implementation of CVS, described as
CVS done right. CVS
Nice, please stop saying I don't like X everywhere.
Stefan Sperling wrote on Wed, Jan 05, 2011 at 11:09:06 +0100:
On Tue, Jan 04, 2011 at 09:25:11PM -0500, Nico Kadel-Garcia wrote:
This is a very large and longstanding issue for me and others, and has
led to clients of mine rejecting
Nico, please stop saying I don't like X everywhere.
Stefan Sperling wrote on Wed, Jan 05, 2011 at 11:09:06 +0100:
On Tue, Jan 04, 2011 at 09:25:11PM -0500, Nico Kadel-Garcia wrote:
This is a very large and longstanding issue for me and others, and has
led to clients of mine rejecting
On Tue, Jan 4, 2011 at 6:31 PM, Nico Kadel-Garcia nka...@gmail.com wrote:
It's *too* easy. Since the default svnserve.conf is very permissive,
and because default svnserve is on an unprivileged port so any user
can serve anyone else's readable repository to outside access,
without the
On Mon, Jan 3, 2011 at 8:46 AM, Les Mikesell lesmikes...@gmail.com wrote:
On 1/2/2011 9:43 PM, Nico Kadel-Garcia wrote:
It's possible to do secure Subversion. Use svn+ssh access, disable or
block other services at the firewall,
If ssh is permitted and you didn't personally set it up, what
On 1/5/2011 1:04 PM, David Brodbeck wrote:
It's possible to do secure Subversion. Use svn+ssh access,
disable or
block other services at the firewall,
If ssh is permitted and you didn't personally set it up, what are
the odds that port tunneling or ssh's built
On Wed, Jan 5, 2011 at 2:19 PM, Les Mikesell lesmikes...@gmail.com wrote:
Of course you _can_ secure it. My point is that permitting ssh and
restricting access to ssh by itself is very likely to make your system less
secure (if you count on firewall protections) instead of more so. And
On Mon, Jan 03, 2011 at 04:19:20PM -0500, Andy Levy wrote:
On Mon, Jan 3, 2011 at 15:56, Nick nos...@codesniffer.com wrote:
On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote:
Apologies in advance if this is covered somewhere, but can someone
explain (or point me to some references
On Mon, Jan 03, 2011 at 02:35:08PM +0100, Stefan Sperling wrote:
On Sat, Jan 01, 2011 at 11:58:09PM -0700, Philip Prindeville wrote:
I don't care how you do that. As long as it's easily
understandable, preferably to both existing users and new ones.
Apart from improving documentation, I
How about allowing to choose not just at mod_dav_svn v. svnserve
granularity, but at the httpd instance / svnserve
instance granularity.
Requires 'svnserve --instance-name=foo' (and a corresponding httpd.conf
directive)
and specifying that 'foo' somewhere in the config file.
Stefan Sperling
On Wed, Jan 5, 2011 at 5:35 AM, Stefan Sperling s...@elego.de wrote:
On Mon, Jan 03, 2011 at 02:35:08PM +0100, Stefan Sperling wrote:
On Sat, Jan 01, 2011 at 11:58:09PM -0700, Philip Prindeville wrote:
I don't care how you do that. As long as it's easily
understandable, preferably to
On Wed, Jan 05, 2011 at 07:56:48AM +1000, Daniel Becroft wrote:
On Wed, Jan 5, 2011 at 5:35 AM, Stefan Sperling s...@elego.de wrote:
= Impact on the repository format =
A format bump (in REPOS/format, not REPOS/db/format) is required.
The new feature shall only be activated for
On Mon, Jan 3, 2011 at 3:56 PM, Nick nos...@codesniffer.com wrote:
On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote:
Apologies in advance if this is covered somewhere, but can someone
explain (or point me to some references on) why using SVN w/ Apache
(HTTPS) is insecure? I've seen
On Tue, Jan 4, 2011 at 4:56 PM, Daniel Becroft djcbecr...@gmail.com wrote:
svnadmin create .\repository
svnserve -r .
and a repository is created and served via svnserve. With the above
defaults, a third step is required, which can get tedious. I'd propose
enabling svnserve by default, and
On Mon, Jan 3, 2011 at 11:46 AM, Les Mikesell lesmikes...@gmail.com wrote:
On 1/2/2011 9:43 PM, Nico Kadel-Garcia wrote:
It's possible to do secure Subversion. Use svn+ssh access, disable or
block other services at the firewall,
If ssh is permitted and you didn't personally set it up, what
On Wed, Jan 5, 2011 at 12:31 PM, Nico Kadel-Garcia nka...@gmail.comwrote:
On Tue, Jan 4, 2011 at 4:56 PM, Daniel Becroft djcbecr...@gmail.com
wrote:
svnadmin create .\repository
svnserve -r .
and a repository is created and served via svnserve. With the above
defaults, a third step
On Sat, Jan 01, 2011 at 10:29:22PM -0500, Nico Kadel-Garcia wrote:
You've just made my point that it should be automated upstream.
Instead of riding on the obvious shortcomings of a two-line shell
script I was using to badly illustrate an idea, why don't you spend
time writing up a Setting up
On Sat, Jan 01, 2011 at 11:58:09PM -0700, Philip Prindeville wrote:
On 12/30/10 7:29 AM, Stefan Sperling wrote:
You may conveniently argue that you don't care about this problem
because it doesn't concern you. But Subversion developers cannot just
add options and functionality without
On Sun, 2011-01-02 at 22:43 -0500, Nico Kadel-Garcia wrote:
It's possible to do secure Subversion. Use svn+ssh access, disable or
block other services at the firewall, and keep it away from HTTP/HTTPS
in order to prevent UNIx or Linux client plaintext password storage.
Apologies in advance if
On 1/2/2011 9:43 PM, Nico Kadel-Garcia wrote:
It's possible to do secure Subversion. Use svn+ssh access, disable or
block other services at the firewall,
If ssh is permitted and you didn't personally set it up, what are the
odds that port tunneling or ssh's built in socks proxy will allow
On Mon, Jan 3, 2011 at 11:09 AM, Nick nos...@codesniffer.com wrote:
On Sun, 2011-01-02 at 22:43 -0500, Nico Kadel-Garcia wrote:
It's possible to do secure Subversion. Use svn+ssh access, disable or
block other services at the firewall, and keep it away from HTTP/HTTPS
in order to prevent UNIx
On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote:
Apologies in advance if this is covered somewhere, but can someone
explain (or point me to some references on) why using SVN w/ Apache
(HTTPS) is insecure? I've seen some references to plain text
password
storage, but I don't see my
On Mon, Jan 3, 2011 at 15:56, Nick nos...@codesniffer.com wrote:
On Mon, 2011-01-03 at 11:49 -0500, Mark Phippard wrote:
Apologies in advance if this is covered somewhere, but can someone
explain (or point me to some references on) why using SVN w/ Apache
(HTTPS) is insecure? I've seen
On Sun, Jan 2, 2011 at 2:49 AM, Philip Prindeville
philipp_s...@redfish-solutions.com wrote:
On 1/1/11 8:29 PM, Nico Kadel-Garcia wrote:
To set up the first time for testing? No. To set up securely? Youch.
It's paide me some very remunerative consulting wages, becuase it took
someone as
-Original Message-
From: Nico Kadel-Garcia [mailto:nka...@gmail.com]
Sent: 02 January 2011 12:55
To: Philip Prindeville
Cc: Ryan Schmidt; users@subversion.apache.org
Subject: Re: svnadmin create and not being method agnostic
On Sun, Jan 2, 2011 at 2:49 AM, Philip Prindeville
philipp_s
On Thu, Dec 30, 2010 at 9:29 AM, Stefan Sperling s...@elego.de wrote:
What if the user later decides to use svnserve instead of apache?
How would the principle of least astonishment be applied then?
Do we tell those users to copy svnserve.conf from another repository?
Do we add a new option
On Thu, Dec 30, 2010 at 9:41 AM, Bob Archer bob.arc...@amsi.com wrote:
Is there really that much overhead in deleting the binary and insuring the
correct permissions are used on the repository folders to keep the honest,
honest? After all, any one with root/administrator access is able to
On 12/30/10 7:29 AM, Stefan Sperling wrote:
On Wed, Dec 29, 2010 at 09:03:16AM -0800, Philip Prindeville wrote:
On 12/29/10 8:34 AM, Nico Kadel-Garcia wrote:
On Wed, Dec 29, 2010 at 11:01 AM, Stefan Sperlings...@elego.de wrote:
The initial concern raised in this thread was that there might
On 12/30/10 7:41 AM, Bob Archer wrote:
I can also argue with the Principle of least astonishment:
So say we've added a new svnadmin option --dont-create-svnserve-
config,
and we've made svnserve skip repositories which don't have an
svnserve.conf file within them (putting aside the still
On 1/1/11 8:29 PM, Nico Kadel-Garcia wrote:
On Thu, Dec 30, 2010 at 9:29 AM, Stefan Sperlings...@elego.de wrote:
What if the user later decides to use svnserve instead of apache?
How would the principle of least astonishment be applied then?
Do we tell those users to copy svnserve.conf from
On Wed, Dec 29, 2010 at 09:03:16AM -0800, Philip Prindeville wrote:
On 12/29/10 8:34 AM, Nico Kadel-Garcia wrote:
On Wed, Dec 29, 2010 at 11:01 AM, Stefan Sperlings...@elego.de wrote:
The initial concern raised in this thread was that there might exist
a hypothetical exploit of svnserve. I'm
I can also argue with the Principle of least astonishment:
So say we've added a new svnadmin option --dont-create-svnserve-
config,
and we've made svnserve skip repositories which don't have an
svnserve.conf file within them (putting aside the still unsolved
problem
of what svnserve
On Thu, Dec 30, 2010 at 03:32:01PM +0100, Stefan Sperling wrote:
On Thu, Dec 30, 2010 at 03:29:11PM +0100, Stefan Sperling wrote:
create-svn-repos.sh:
#!/bin/sh
svnadmin create $1
rm -f $1/conf/svnserve.conf
Of course, you would also need to delete svnserve from the system
and
Windows (if that can be considered secure in the first
place),
that would also be interesting. But I'm afraid I wouldn't be able
to help with that.
Why all the hate? :)
Suffice to say, windows servers (these days) are only as secure as the admin
makes it. I guess that applies to *Nix
Stefan Sperling wrote on Thu, Dec 30, 2010 at 15:48:16 +0100:
On Thu, Dec 30, 2010 at 03:32:01PM +0100, Stefan Sperling wrote:
On Thu, Dec 30, 2010 at 03:29:11PM +0100, Stefan Sperling wrote:
create-svn-repos.sh:
#!/bin/sh
svnadmin create $1
rm -f $1/conf/svnserve.conf
Of
On Thu, Dec 30, 2010 at 05:02:55PM +0200, Daniel Shahaf wrote:
Stefan Sperling wrote on Thu, Dec 30, 2010 at 15:48:16 +0100:
It would be nice if the outcome of this thread was a document detailing
requirements and solutions for a secure, apache-only subversion setup
on a unix system.
2010/12/28 Thorsten Schöning tschoen...@am-soft.de
Guten Tag Philip Prindeville,
am Montag, 27. Dezember 2010 um 22:28 schrieben Sie:
In our case, we're setting up a secured source repository inside
our network, for outside access (via port-forwarding on our
gateway).
In this scenario
On Tue, Dec 28, 2010 at 12:24 PM, Stefan Sperling s...@elego.de wrote:
On Tue, Dec 28, 2010 at 12:11:47PM -0500, Nico Kadel-Garcia wrote:
As Stefan pointes out elsewhere, svnserve will run without an
svnserve.conf. Perhaps it *shouldn't*, and the default svnserve.conf
should be published as
On Wed, Dec 29, 2010 at 10:43:13AM -0500, Nico Kadel-Garcia wrote:
On Tue, Dec 28, 2010 at 12:24 PM, Stefan Sperling s...@elego.de wrote:
On Tue, Dec 28, 2010 at 12:11:47PM -0500, Nico Kadel-Garcia wrote:
As Stefan pointes out elsewhere, svnserve will run without an
svnserve.conf. Perhaps
On Wed, Dec 29, 2010 at 11:01 AM, Stefan Sperling s...@elego.de wrote:
On Wed, Dec 29, 2010 at 10:43:13AM -0500, Nico Kadel-Garcia wrote:
On Tue, Dec 28, 2010 at 12:24 PM, Stefan Sperling s...@elego.de wrote:
On Tue, Dec 28, 2010 at 12:11:47PM -0500, Nico Kadel-Garcia wrote:
As Stefan
On 12/29/10 11:03 AM, Philip Prindeville wrote:
That's unclear, I agree. I've taken it in a slightly different
direction, trying to address his concerns.
So my concern is this: I want to be able to easily, clearly, and with high
confidence set up SVN to *only* work via Apache, and no other
Guten Tag Philip Prindeville,
am Montag, 27. Dezember 2010 um 22:28 schrieben Sie:
In our case, we're setting up a secured source repository inside
our network, for outside access (via port-forwarding on our gateway).
In this scenario and if security is this important for you, then why
not
On Mon, Dec 27, 2010 at 01:28:34PM -0800, Philip Prindeville wrote:
On 12/27/10 11:34 AM, Ryan Schmidt wrote:
On Dec 24, 2010, at 23:34, Philip Prindeville wrote:
Unfortunately, the documentation and utilities in a few places are less
clear than they could be when discussing repository
On 12/28/10 3:44 AM, Stefan Sperling wrote:
On Mon, Dec 27, 2010 at 01:28:34PM -0800, Philip Prindeville wrote:
On 12/27/10 11:34 AM, Ryan Schmidt wrote:
On Dec 24, 2010, at 23:34, Philip Prindeville wrote:
Unfortunately, the documentation and utilities in a few places are less clear
than
On Tue, Dec 28, 2010 at 11:58 AM, Philip Prindeville
philipp_s...@redfish-solutions.com wrote:
On 12/28/10 3:44 AM, Stefan Sperling wrote:
On Mon, Dec 27, 2010 at 01:28:34PM -0800, Philip Prindeville wrote:
On 12/27/10 11:34 AM, Ryan Schmidt wrote:
On Dec 24, 2010, at 23:34, Philip
On Tue, Dec 28, 2010 at 12:11:47PM -0500, Nico Kadel-Garcia wrote:
As Stefan pointes out elsewhere, svnserve will run without an
svnserve.conf. Perhaps it *shouldn't*, and the default svnserve.conf
should be published as svnserve.conf.tmpl? That would force manual
enabling of a service that
On 12/28/10 11:11 AM, Nico Kadel-Garcia wrote:
Disabled entirely would be better, and safer, than empty. Subversion's
security models have historically been very lax. This is inherited
from its origins in CVS, and the attitude that if you don't trust
your machine, you shouldn't be using it!!!.
On 12/28/10 1:57 PM, Nico Kadel-Garcia wrote:
But better client and server access control is also hardly unheard
of. Plenty of more modern tools take client and server security far
more seriously, including cross-platform source control tools.
Bitkeeper, git, Perforce, and mercurial all leap to
2010/12/28 Thorsten Schöning tschoen...@am-soft.de
Guten Tag Philip Prindeville,
am Montag, 27. Dezember 2010 um 22:28 schrieben Sie:
In our case, we're setting up a secured source repository inside
our network, for outside access (via port-forwarding on our gateway).
In this scenario
Hi.
I'm a long-time svn user but only recently had to set one up myself.
I was doing so on linux (Fedora) using Apache as the access method.
Unfortunately, the documentation and utilities in a few places are less clear
than they could be when discussing repository setup for svnserve versus
On Dec 24, 2010, at 23:34, Philip Prindeville wrote:
Unfortunately, the documentation and utilities in a few places are less clear
than they could be when discussing repository setup for svnserve versus
svnserve+ssh versus apache.
For instance, svnadmin create deposits various files
On 12/27/10 11:34 AM, Ryan Schmidt wrote:
On Dec 24, 2010, at 23:34, Philip Prindeville wrote:
Unfortunately, the documentation and utilities in a few places are less clear
than they could be when discussing repository setup for svnserve versus
svnserve+ssh versus apache.
For instance,
56 matches
Mail list logo
