Ian Bicking: the old part of his blog

Distributed vs centralized scm comment 000

I was trying to figure out how to set up Apache for this sort of situation in Apache auth -- I haven't had a chance to revisit it since then (sysadmining, blech), but I think there's a special tool for svn permissions which is pretty granuar.

For self-registration it might be sufficient simply to use some simple webapp that manages .htaccess files, maybe with a little something for forgotten passwords and whatnot (a parrallel record of email addresses would have to be kept).

I am worried about security though, especially since Subversion is written in C. C does not encourage confidence in security. Not a big issue when you trust everyone you authorize, but if authorization is opened up...

Comment on Re: Distributed vs. Centralized Version Control
by Ian Bicking


Wouldn't the Wikepedia model be helpful here as a model for thinking about security? It seems to me that some of security concerns might not be _that_ big a deal since you can just roll back to a previous version if someone pollutes the tree.

# brian

I'm thinking of security like buffer overflows, or people adding gigantic files to the repository which cause the database size to explode (since deleted items remain in the repository database).

# Ian Bicking

One way to do this would be to hook the authentication into something like Bugzilla. We did that at work so that both subversion and bugzilla had the same set of users with just one place to have to deal with them -- the username was a full email address for subversion. This also gives the ability to self-register, reset passwords, etc. A few changes to bugzilla would probably allow patches to point to subversion changes and allow sharing write access to branches.

# David Ward