[scponly] svn support in scponly is unsafe
Joachim Breitner
nomeata at debian.org
Tue Sep 4 16:23:11 EDT 2007
Hi,
Am Dienstag, den 04.09.2007, 13:10 -0700 schrieb Kaleb Pederson:
> Yes, you are exactly right. This was discovered a while ago and documented in
> our SECURITY document currently only in CVS. You can see it here:
>
> http://scponly.cvs.sourceforge.net/scponly/scponly/SECURITY?revision=1.1&view=markup
>
> We have debated whether or not support for svn and svnserve should be removed
> entirely or if it should be controllable by the system administrator. As the
> OS can be configured to safely allow svn/svnserve, I think we leaned towards
> making it obvious what the ramifications of the different options are and
> leaving it up to the discretion of the system administrator. For instances
> where the svn repository is actually controlled by the administrator, this
> makes perfect sense.
>
> Please forgive us that this wasn't brought to the attention of the community
> earlier, unfortunately our time limits us more than we like.
>
> Community members, please let us know what your feelings on this are so that
> we have as few surprises as possible with our next release.
I assume then that svn/svnserve support is by default off in the
original package and that the Debian package should also not have
svn/svnserve support.
Greetings,
Joachim
--
Joachim "nomeata" Breitner
Debian Developer
nomeata at debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
JID: joachimbreitner at amessage.de | http://people.debian.org/~nomeata
More information about the scponly
mailing list