Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[tools-pmc] [Fwd: Re: http and https for /svnroot/tools]

Hi Matt,
Is this risk assessment based on actual events with SVN repositories that has been compromised by the Apache daemon?

I've been trying to dig up more information about this but I can't find anything. Does the recommendation stem from the Subversion community?

Personally, I think that we are in good shape with respect to code protection. I'm sure you keep daily backups and if the absolute worse should happen and even the backups would burn there are still plenty of checked out sources around.

Thomas Hallgren

-------- Original Message --------
Subject: 	Re: http and https for /svnroot/tools
Date: 	Wed, 13 Feb 2008 11:13:27 -0500
From: 	Webmaster(Matt Ward) <webmaster@xxxxxxxxxxx>
To: 	Thomas Hallgren <thomas@xxxxxxx>
References: <47B30943.7050405@xxxxxxx> <47B312C4.2050009@xxxxxxxxxxx> <47B313F5.1070809@xxxxxxx>

Hi Thomas,

Ultimately because it requires that the apache daemon have full access to the repo, so should something happen to the apache daemon your repository could be at risk. You folks put a lot of effort into this code so we err on the side of caution to protect that hard work.

Just out of curiosity, why do you recommend strongly against use of https?

- thomas

Webmaster(Matt Ward) wrote:
Hi Thomas,

This is because by default we don't expose SVN via http/https. We strongly recommend against using the https access method and it is enabled for the technology project only because there are committers behind a firewall that does not allow SSH connections. I can enable anonymous browsing via http but that request really should come from the Tools PMC.


Thomas Hallgren wrote:
I'm no longer able to access the Buckminster SVN repository using http and https. I'm not sure if that happened during the move from technology to tools or if it happened during the last two days when I encountered the other (SVNKit/JavaHL related) access problem.

Can you please check? I would like both http and https enabled if that's OK.

Thomas Hallgren


Eclipse WebMaster - webmaster@xxxxxxxxxxx
Questions? Consult the WebMaster FAQ at
View my status at

Back to the top