On Thu, 2008-07-31 at 10:46 -0700, Derek Wright wrote:
> On Jul 31, 2008, at 9:40 AM, Angela Byron wrote:
>
> > 1. Security. pserver authentication is horribly, horribly insecure.
>
> I think the security problems will be just as bad with SVN given the
> OSUOSL infrastructure.  There's a way to do CVS securely (over ssh),
> which is basically equivalent to what we'd have to do to actually
> make SVN secure (as far as I know), but the OSUOSL side of this
> question has been "won't fixed" because it would involve giving
> (extremely limited) shell access to every CVS account holder:
>
> http://drupal.org/node/199412
>
> I'll admit I haven't closely studied SVN's various security models,
> so I could be wrong about this, but on the surface, I think this
> particular argument is a red herring, since we couldn't configure SVN
> any more securely than we can configure CVS.  If anyone can provide a
> link to a clear document explaining how to configure SVN more
> securely than pserver if you don't actually have accounts and ssh
> keys for everyone, please do so.

So let me quickly just respond here to say that, in fact, SVN is almost
terrifyingly easy to set up securely using SSH. No need for shell
accounts per user. Obviously using ssh keys means that we'd need to
_get_ those public keys from people in the first place, and doing so
would also be a very real change for all contributors: either you learn
SSH, or you can't contribute to drupal.