[development] FAQ: Why is Drupal still using CVS when X is a much better choice?

Owen Barton drupal at owenbarton.com
Thu Jul 31 17:54:15 UTC 2008

Hi All,

On Thu, Jul 31, 2008 at 10:50 AM, Sam Boyer <drupal at samboyer.org> wrote:

> On Thu, 2008-07-31 at 10:46 -0700, Derek Wright wrote:
> > On Jul 31, 2008, at 9:40 AM, Angela Byron wrote:
> >
> > > 1. Security. pserver authentication is horribly, horribly insecure.
> >
> > I think the security problems will be just as bad with SVN given the
> > OSUOSL infrastructure.  There's a way to do CVS securely (over ssh),
> > which is basically equivalent to what we'd have to do to actually
> > make SVN secure (as far as I know), but the OSUOSL side of this
> > question has been "won't fixed" because it would involve giving
> > (extremely limited) shell access to every CVS account holder:
> >
> > http://drupal.org/node/199412
> >
> > I'll admit I haven't closely studied SVN's various security models,
> > so I could be wrong about this, but on the surface, I think this
> > particular argument is a red herring, since we couldn't configure SVN
> > any more securely than we can configure CVS.  If anyone can provide a
> > link to a clear document explaining how to configure SVN more
> > securely than pserver if you don't actually have accounts and ssh
> > keys for everyone, please do so.
> So let me quickly just respond here to say that, in fact, SVN is almost
> terrifyingly easy to set up securely using SSH. No need for shell
> accounts per user. Obviously using ssh keys means that we'd need to
> _get_ those public keys from people in the first place, and doing so
> would also be a very real change for all contributors: either you learn
> SSH, or you can't contribute to drupal.

Actually, an even easier method is to setup SVN access over https -
This needs no shell accounts or even SSH keys and can authenticate any way
apache can.

- Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080731/83701236/attachment.htm 

More information about the development mailing list