[development] FAQ: Why is Drupal still using CVS when X is a much better choice?

Sam Boyer drupal at samboyer.org
Thu Jul 31 18:05:16 UTC 2008 

On Thu, 2008-07-31 at 10:54 -0700, Owen Barton wrote:
> Hi All,
> 
> On Thu, Jul 31, 2008 at 10:50 AM, Sam Boyer <drupal at samboyer.org>
> wrote:
>         On Thu, 2008-07-31 at 10:46 -0700, Derek Wright wrote:
>         > On Jul 31, 2008, at 9:40 AM, Angela Byron wrote:
>         >
>         > > 1. Security. pserver authentication is horribly, horribly
>         insecure.
>         >
>         > I think the security problems will be just as bad with SVN
>         given the
>         > OSUOSL infrastructure.  There's a way to do CVS securely
>         (over ssh),
>         > which is basically equivalent to what we'd have to do to
>         actually
>         > make SVN secure (as far as I know), but the OSUOSL side of
>         this
>         > question has been "won't fixed" because it would involve
>         giving
>         > (extremely limited) shell access to every CVS account
>         holder:
>         >
>         > http://drupal.org/node/199412
>         >
>         > I'll admit I haven't closely studied SVN's various security
>         models,
>         > so I could be wrong about this, but on the surface, I think
>         this
>         > particular argument is a red herring, since we couldn't
>         configure SVN
>         > any more securely than we can configure CVS.  If anyone can
>         provide a
>         > link to a clear document explaining how to configure SVN
>         more
>         > securely than pserver if you don't actually have accounts
>         and ssh
>         > keys for everyone, please do so.
>         
>         
>         So let me quickly just respond here to say that, in fact, SVN
>         is almost
>         terrifyingly easy to set up securely using SSH. No need for
>         shell
>         accounts per user. Obviously using ssh keys means that we'd
>         need to
>         _get_ those public keys from people in the first place, and
>         doing so
>         would also be a very real change for all contributors: either
>         you learn
>         SSH, or you can't contribute to drupal.
>         
>         
> 
> Actually, an even easier method is to setup SVN access over https -
> http://gentoo-wiki.com/HOWTO_Apache2_with_subversion_SVN_and_DAV
> This needs no shell accounts or even SSH keys and can authenticate any
> way apache can.
> 
> Thanks!
> - Owen

Yep, https is also an option. I've not worked as extensively with it as
I have with ssh-based svn, but it does obviate the need for ssh keys
from everyone. It is a bit more intensive than svn+ssh.

http://svnbook.red-bean.com/en/1.4/svn-book.html#svn.serverconfig

More information about the development mailing list