[scponly] svn support in scponly is unsafe
Kaleb Pederson
kibab at icehouse.net
Tue Sep 4 16:10:55 EDT 2007
Yes, you are exactly right. This was discovered a while ago and documented in
our SECURITY document currently only in CVS. You can see it here:
http://scponly.cvs.sourceforge.net/scponly/scponly/SECURITY?revision=1.1&view=markup
We have debated whether or not support for svn and svnserve should be removed
entirely or if it should be controllable by the system administrator. As the
OS can be configured to safely allow svn/svnserve, I think we leaned towards
making it obvious what the ramifications of the different options are and
leaving it up to the discretion of the system administrator. For instances
where the svn repository is actually controlled by the administrator, this
makes perfect sense.
Please forgive us that this wasn't brought to the attention of the community
earlier, unfortunately our time limits us more than we like.
Community members, please let us know what your feelings on this are so that
we have as few surprises as possible with our next release.
Regards.
--Kaleb
On Tuesday 04 September 2007, Joachim Breitner wrote:
> Hi,
>
> please read through:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148
>
> Basically: Allowing svn or svnserve is unsafe.
>
> Greetings,
> Joachim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20070904/4c81fdb6/attachment.bin
More information about the scponly
mailing list