subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Subversion Wiki] Update of "ServerDictatedConfiguration" by CMichaelPilato
Date Mon, 05 Dec 2011 16:37:36 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Subversion Wiki" for change notification.

The "ServerDictatedConfiguration" page has been changed by CMichaelPilato:

  || myriad authn-related stuff || per-server, per-repos || Un-enforceable || Lack of enforceability
plus relationship to security means that admins do not want the client to be able to trivially
override this setting.  Precise requirements TBD (is this a boolean "allow/disallow plaintext
password caching", or "require X, Y or Z encrypted password stores", or ...?  ||
  NOTE: The configuration the server dictates can at best be only a suggestion to the client,
with well-behaving clients honoring that suggestion.  As free software, though, most such
clients could be modified by a malicious user to ignore server-side suggestions.  Server-side
enforcement of desired behaviors (where possible, and often via hook scripts) is still recommended.
+ ANOTHER NOTE:  At least one user specifically called out the need for the server to enforce
adherence to the configured behaviors ''without'' requiring hook scripts to do so.  For example,
if the repository has a configured auto-props list, the Subversion C code is perfectly capable
of validating that incoming committed items obey those settings, failing the commit otherwise.
 This seems like a reasonable request so long as we permit admins to specify which of their
configuration settings are "suggested" versus "required" (again, taking into account that
anything unenforceable can't truly be "required").
  === Server-client transmission mechanism ===

View raw message