[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cvs.debian.org problem

On Fri, Jan 31, 2003 at 08:38:24AM -0600, Steve Langasek wrote:
> On Fri, Jan 31, 2003 at 01:24:45PM +0100, Thomas Wouters wrote:

> > For network access, subversion uses WebDAV (with DeltaV) which is an
> > extension of HTTP specifically designed to also work with HTTPS and proxies
> > and such. As such, it is as secure from attacks such as man-in-the-middle as
> > the SSL implementation.

> So the subversion client provides a visible indicator when there's a
> certificate path problem, unlike the majority of SSL-enabled text web
> browsers?

Well, I was speaking of subversion-the-design, and subversion-the-client
isn't finished yet. To note, I wouldn't recommend something like
cvs.debian.org to switch over to Subversion over the weekend or anything :)
But, it doesn't hurt to convert your repositories sometime, and see if it
works. It did for my repositories.

The client doesn't implement certificate-checks yet. However, the client
uses libneon, which does support certificate and CA-checks, and the
subversion client implements the right callbacks -- they just don't do
anything right now. From the current SVN snapshot of svn:

/* A neon-session callback to validate the SSL certificate when the CA
   is unknown or there are other SSL certificate problems. */
static int ssl_set_verify_callback(void *userdata, int failures,
                                   const ne_ssl_certificate *cert)
{
  /* XXX Right now this accepts any SSL server certificates.
     Subversion should perform checks of the SSL certificates and keep
     any information related to the certificates in $HOME/.subversion
     and not in the .svn directories so that the same information can
     be used for multiple working copies.

     [...]

http://svn.collab.net/repos/svn/trunk/subversion/libsvn_ra_dav/session.c,
line 84 and onwards. (But keep in mind that URL is the live svn repository,
so it might have changed by the time you look at it. :) It goes on to
explain what the function should do, or is going to do once someone writes
it. Of course, this is opensource, so you can always write the function
yourself, or ask people to write it the way you want it. The subversion team
has set some high standards for release 1.0 of subversion though, and
actually making it happen. I'm not too worried about how subversion is going
to end up, I just can't wait to drop CVS :)

-- 
Thomas Wouters <thomas@xs4all.net>

Hi! I'm a .signature virus! copy me into your .signature file to help me spread!
Reply to: