Mailing-List: contact users-help@subversion.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (nike.apache.org: local policy)
Date: Mon, 3 Jan 2011 14:35:08 +0100
From: Stefan Sperling <stsp@elego.de>
To: Philip Prindeville <philipp_subx@redfish-solutions.com>
Cc: Nico Kadel-Garcia <nkadel@gmail.com>,
        Ryan Schmidt <subversion-2010d@ryandesign.com>,
        users@subversion.apache.org
Subject: Re: svnadmin create and not being method agnostic
Message-ID: <20110103133508.GG8919@ted.stsp.name>
Mail-Followup-To: Philip Prindeville <philipp_subx@redfish-solutions.com>,
	Nico Kadel-Garcia <nkadel@gmail.com>,
	Ryan Schmidt <subversion-2010d@ryandesign.com>,
	users@subversion.apache.org
References: <20101228114416.GA14809@ted.stsp.name>
 <4D1A1743.9060708@redfish-solutions.com>
 <AANLkTim2KxEMw_Ba_O1OX9LRkm-79qjVTdV7pnRizhe9@mail.gmail.com>
 <20101228172409.GG14809@ted.stsp.name>
 <AANLkTi=LMZxMD_e7+_Dcg0PB031CaYVsG+Hva7xX34Gv@mail.gmail.com>
 <20101229160113.GG30723@ted.stsp.name>
 <AANLkTi=+aD8EOjgSs3tEJma2RYBhFPivMevCWQk01Beo@mail.gmail.com>
 <4D1B69D4.1060405@redfish-solutions.com>
 <20101230142911.GA12126@ted.stsp.name>
 <4D202201.9050107@redfish-solutions.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4D202201.9050107@redfish-solutions.com>
User-Agent: Mutt/1.5.21 (2010-09-15)

On Sat, Jan 01, 2011 at 11:58:09PM -0700, Philip Prindeville wrote:
> On 12/30/10 7:29 AM, Stefan Sperling wrote:
> >You may conveniently argue that you don't care about this problem
> >because it doesn't concern you. But Subversion developers cannot just
> >add options and functionality without considering the overall use of
> >those features for *all* Subversion users. The tool needs to be general.
> 
> What I inconveniently care about is that the software be secure, and
> in being secure, that it be easy to set up so that it does what I want
> it to do, and no more (i.e. that it not leave any doors open
> unintentionally).

Well I think it is easy to set up to be secure already.

The documentation is apparently lacking, and help in improving it is
very welcome.

> I don't care how you do that.  As long as it's easily understandable, preferably to both existing users and new ones.

Apart from improving documentation, I cannot think of a way to do this
which is easily understandable for everyone, sorry.

Your suggestion raises many questions and it will take time to think this through.
For instance, what will this approach look like from the apache httpd side?
Do we also add a marker file there to enable serving of a repository?
How can this be done in a backwards-compatible way to prevent breaking
any existing setups? Should we treat svnserve.conf as a marker file for
httpd also? In this case you'll need to leave the file in place.

> >I may be biased but I don't think a core Subversion setup is particularly
> >complex to set up.  It gets a lot more complex if you integrate
> >Subversion with existing infrastructure and other tools. But there is not
> >much Subversion's developers can do to help people with this, other than
> >making sure that Subversion's solutions are as general, flexible, and
> >scriptable as possible.
> 
> True, but as you point out, a few handy common wrappers can go a long way.
> 
> I wouldn't mind seeing support for SSL certificate generation via openssl...

I don't think we need such a script packaged with Subversion itself.
That's out of scope of the subversion source code distribution.

Doesn't your system ship with documentation or even scripts to generate
SSL certificates?  On the system I use 'man ssl' has a section called
"GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS":
http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

Stefan