httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [PROPOSAL] Move httpd to the subversion repository
Date Tue, 16 Mar 2004 18:26:02 GMT
At 11:27 AM 3/16/2004, Ben Laurie wrote:
>Justin Erenkrantz wrote:
>
>>--On Monday, March 15, 2004 10:52 AM +0000 Ben Laurie <ben@algroup.co.uk> wrote:
>>
>>>It is? How? Unless the committer signs (which ISTR was rejected as an option
>>>when I suggested it, so I'm assuming that doesn't happen), then they must be
>>>signed by the server - a successful attacker can therefore sign his
>>>modifications, too. Or am I missing something? (I don't use subversion yet,
>>>so forgive me if the answer is obvious).
>>
>>We're talking about ensuring the integrity of the repository here, not whether malicious
people can commit.
>
>I know.

Uhm I beg to differ - I care about both issues :)

>>With the repository and its dumps, everything is date-ordered.  The revisions are
sequential and the dumps only contain the changes for that particular revision.  Once the
changes are made, they can be signed by the server and rsync'd via a third-party 'secure'
server (*only* adding the new revisions).  In the event of an intrusion, we can use those
read-only dumps to compare against our 'live' repository.  Also, if a malicious set of commits
occur, we can also *quickly* remove those as everything is identified by a changeset/revision
number across the repository (again, not possible with CVS as it has per-file revnums).
>
>I don't see how this defends against a malicious user that has owned the server for long
enough for his changes to have been rsynced to the "secure" server?

That is always a risk - which is why the more offsite copies backed regularly,
the better.  If there is a barrier to rsync'ing the database, or rsyncing the commit
history and auto-layering the main repository history into a mirror repository, 
I'm very adverse to the proposal.  If anyone has a cool bookmark on mirroring
svn repositories, please share.

>>>It is news to me that the board have expressed this view.
>>No, it's not official, but every time we have an intrusion, we have no useful mechanism
of auditing the integrity of our CVS repository as people can modify the RCS files directly
and that *has* been a concern brought up by the board on several occasions.  With Subversion,
it is possible to easily verify the integrity of the repository against backups.  -- justin
>
>I have yet to be convinced of this.

Same here....

diff -u3 backup/source.c,v live/source.c,v

....you mean to say there is an equally trivial way to compare two repositories
to do post-mortem with svn?  If so please share!

Bill  


Mime
View raw message