Hello community, here is the log from the commit of package subversion.3957 for openSUSE:13.1:Update checked in at 2015-08-18 09:47:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/subversion.3957 (Old) and /work/SRC/openSUSE:13.1:Update/.subversion.3957.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "subversion.3957" Changes: -------- New Changes file: --- /dev/null 2015-07-22 21:25:44.928025004 +0200 +++ /work/SRC/openSUSE:13.1:Update/.subversion.3957.new/subversion.changes 2015-08-18 09:47:12.000000000 +0200 @@ -0,0 +1,3592 @@ +------------------------------------------------------------------- +Thu Aug 6 11:22:12 UTC 2015 - [email protected] + +- Version update to 1.8.14: + This release fixes two vulnerabilities: + * mod_authz_svn: do not leak information in mixed anonymous/authenticated + httpd (dav) configurations (CVE-2015-3184) bnc#939514 + * do not leak paths that were hidden by path-based authz (CVE-2015-3187) + bnc#939517 + Non-security fixes: + * document svn:autoprops + * fix 'svn cp ^/A/D/H@1 ^/A' to properly create A + * improve conflict prompts for binary files + * improve performance of 'ls -v' + * improved Sqlite 3.8.9 query performance + * fixed issue #4580: 'svn -v st' on file externals reports "?" for user/rev + * mod_dav_svn: do not ignore skel parsing errors + * detect invalid svndiff data earlier + * prevent possible repository corruption on power/disk failures + * fixed issue #4577: Read error with some repository nodes + * fixed issue #4531: server-side copy (over dav) is slow + * swig-pl: fix some stack memory problems +- Add patch subversion-1.8.14-httpd-version-number-detection.patch +- Refresh patch: subversion-no-build-date.patch + +------------------------------------------------------------------- +Tue Mar 31 12:00:00 UTC 2015 - [email protected] + +- Apache Subversion 1.8.13 + This release fixes three vulerabilities: + * Subversion HTTP servers with FSFS repositories were vulnerable + to a remotely triggerable excessive memory use with certain + REPORT requests. + (bsc#923793 CVE-2015-0202) + * Subversion mod_dav_svn and svnserve were vulnerable to a + remotely triggerable assertion DoS vulnerability for certain + requests with dynamically evaluated revision numbers. + (bsc#923794 CVE-2015-0248) + * Subversion HTTP servers allow spoofing svn:author property + values for new revisions + (bsc#923795 CVE-2015-0251) +- Non-security updates: + * fixes number of client and server side non-security bugs + * improved working copy performanc + * reduction of resource use + * stability improvements + * usability improvements +- 1.8.12 was not released +- fix sample configuration comments in subversion.conf [boo#916286] +- fix bashisms in mailer-init.sh script + * adding subversion-1.8.10-fix-bashisms.patch + +------------------------------------------------------------------- +Thu Dec 18 14:33:55 UTC 2014 - [email protected] + +- Apache Subversion 1.8.11 +- This release addresses two security issues: [boo#909935] + * CVE-2014-3580: mod_dav_svn DoS from invalid REPORT requests. + * CVE-2014-8108: mod_dav_svn DoS from use of invalid transaction + names. +- Client-side bugfixes: + * checkout/update: fix file externals failing to follow history + and subsequently silently failing + * patch: don't skip targets in valid --git difs + * diff: make property output in diffs stable + * diff: fix diff of local copied directory with props + * diff: fix changelist filter for repos-WC and WC-WC + * remove broken conflict resolver menu options that always error + out + * improve gpg-agent support + * fix crash in eclipse IDE with GNOME Keyring + * fix externals shadowing a versioned directory + * fix problems working on unix file systems that don't support + permissions + * upgrade: keep external registrations + * cleanup: iprove performance of recorded timestamp fixups + * translation updates for German +- Server-side bugfixes: + * disable revprop caching feature due to cache invalidation + problems + * skip generating uniquifiers if rep-sharing is not supported + * mod_dav_svn: reject requests with missing repository paths + * mod_dav_svn: reject requests with invalid virtual transaction + names + * mod_dav_svn: avoid unneeded memory growth in resource walking + +------------------------------------------------------------------- +Thu Aug 7 22:22:08 UTC 2014 - [email protected] + +- Apache Subversion 1.8.10 +- Client-side bugfixes: + * guard against md5 hash collisions when finding cached + credentials [bnc#889849] [CVE-2014-3528] + * ra_serf: properly match wildcards in SSL certs. + [bnc#890511] [CVE-2014-3522] + * ra_serf: ignore the CommonName in SSL certs where there are + Subject Alt Names + * ra_serf: fix a URI escaping bug that prevented deleting locked + paths + * rm: Display the proper URL when deleting a URL in the commit + log editor + * log: Fix another instance of broken pipe error + * copy: Properly handle props not present or excluded on cross wc + copy + * copy: Fix copying parents of locally deleted nodes between wcs + * externals: Properly delete ancestor directories of externals + when removing the external by changing svn:externals. + * ra_serf: fix memory lifetime of some hash values +- Server-side bugfixes: + * fsfs: omit config file when creating pre-1.5 format repos +- Bindings: + * ruby: removing warning about Ruby 1.9 support being new. + * python: fix notify_func callbacks + +------------------------------------------------------------------- +Tue May 13 17:34:59 UTC 2014 - [email protected] + +- Apache Subversion 1.8.9 [bnc#877555] +- Client-side bugfixes: + * log: use proper peg revision over DAV + * upgrade: allow upgrading from 1.7 with exclusive locks + * proplist: resolve inconsitent inherited property results + * increase minimal timestamp sleep from 1ms to 10ms + * merge: automatic merge confused by subtree merge + * propget: report proper error on invalid revision for url + * commit: fix an assertion when committing a deleted descendant + * merge: resolve segfault when '--force' merges a directory + delete + * resolve: prevent interactive conflict resolution when nothing + has been done to resolve the conflict + * update: fix locks lost from wc with pre-1.6.17 servers + * merge: honor the 'preserved-conflict-file-exts' setting + * list: fix '--verbose' against older servers + * unlock: fix ability to remove locks with timeouts + * copy: fix 'svn copy URL WC' on relocated working copies + * export: allow file externals to be exported + * move: fix working copy db inconsistency in cert scenarios + * commit: fix an issue where mixed revision copy with non copy + descendants that shadow a not present node couldn't be committed + * delete: properly remove move_to info when the node in its + original location is removed + * status; fix an issue where output would vary based on if the + target was the node itself or its parent +- Server-side bugfixes: + * svnadmin dump: don't let invalid mergeinfo stop dump + * svnserve: resolve performance regression caused by iprops + * reduce size of memory buffer when reading config files + * remove dead transaction if commit was blocked by hook + * svnrdump load: fix crash when svn:* normalization + * fix memcached support + * svndumpfilter: fix order of node record headers + * mod_dav_svn: allow generic DAV clients to refresh locks + * mod_dav_svn: detect out of dateness correctly during commit +- Developer-visible changes: + * improve consistency checks of DAV inherited property requests + * fix ocassional failure in autoprop_tests.py + * avoid duplicate sqlite analyze information rows + * add Mavericks to our sysinfo output + * bump copyright years to 2014 + * unbreak test suite when running as root + * resolve buffer overflow in testcode + * fix libmagic detection with custom LDFLAGS + * fix an out of scope variable use in merge + * javahl: fix crash from resolve callback throwing an exception + * ruby: fix two memory lifetime bugs + * fix a missing null byte when handling old pre-1.4 deltas + * fix building with APR 0.9.x + * make svn_ra_get_locks() and svn_ra_get_lock() report not locked + nodes with a NULL svn_lock_t *, as documented + * fix tests for compiler flags +- Packaging changes: + * adds subversion-1.8.9-allow-httpd-2.4.6.patch to allow building + against blacklisted httpd 2.4.6 which has the required patches + * update subversion-no-build-date.patch for context changes + +------------------------------------------------------------------- +Thu Feb 20 23:44:35 UTC 2014 - [email protected] + +- Apache Subversion 1.8.8 + fix a remotely triggerable segfault in mod_dav_svn when svn is + handling the server root and SVNListParentPath is on + [bnc#862459] CVE-2014-0032 +- Client-side bugfixes: + * fix automatic relocate for wcs not at repository root + * wc: improve performance when used with SQLite 3.8 + * copy: fix some scenarios that broke the working copy + * move: fix errors when moving files between an external and the + parent working copy + * log: resolve performance regression in certain scenarios + * merge: decrease work to detect differences between 3 files + * commit: don't change file permissions inappropriately + * commit: fix assertion due to invalid pool lifetime + * version: don't cut off the distribution version on Linux + * flush stdout before exiting to avoid information being lost + * status: fix missing sentinel value on warning codes + * update/switch: improve some WC db queries that may return + incorrect results depending on how SQLite is built ++++ 3395 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.subversion.3957.new/subversion.changes New: ---- contrib-1485350.tar.bz2 sqlite-amalgamation-3071501.zip subversion-1.8.10-fix-bashisms.patch subversion-1.8.14-httpd-version-number-detection.patch subversion-1.8.14.tar.bz2 subversion-1.8.14.tar.bz2.asc subversion-1.8.9-allow-httpd-2.4.6.patch subversion-no-build-date.patch subversion-swig-perl-install_vendor.patch subversion.README.SuSE subversion.changes subversion.conf subversion.keyring subversion.libtool-pie-flags.patch subversion.libtool-verbose.patch subversion.perl.LD_RUN_PATH.patch subversion.rcsvnserve subversion.rpmlintrc subversion.spec subversion.svndiff.sh subversion.svngrep.sh subversion.sysconfig.svnserve subversion.sysconfig.svnserve.remoteaccess subversion.xinetd.svnserve svnserve.service svnserve.tmpfiles swig-1.3.36.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ subversion.spec ++++++ ++++ 841 lines (skipped) ++++++ subversion-1.8.10-fix-bashisms.patch ++++++ From: Oleksandr Chumachenko <[email protected]> Date: Thu Nov 20 19:44:10 2014 UTC Subject: [PATCH] Remove bashism in mailer.py test suite References: http://svn.apache.org/viewvc?view=revision&revision=r1640795 Upstream: committed * mailer/tests/mailer-init.sh Change echo -e to more portable printf --- tools/hook-scripts/mailer/tests/mailer-init.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: subversion-1.8.10/tools/hook-scripts/mailer/tests/mailer-init.sh =================================================================== --- subversion-1.8.10.orig/tools/hook-scripts/mailer/tests/mailer-init.sh 2013-02-25 03:30:54.000000000 +0000 +++ subversion-1.8.10/tools/hook-scripts/mailer/tests/mailer-init.sh 2014-11-20 19:00:52.000000000 +0000 @@ -101,14 +101,14 @@ echo change C6 >> dir6/file4 svn commit -m "copy dir, then make a change" # add a binary file and set property to binary value -echo -e "\x00\x01\x02\x03\x04" > file11 +printf "\x00\x01\x02\x03\x04\n" > file11 svn add file11 svn ps svn:mime-type application/octect-stream file11 svn ps prop2 -F file11 file9 svn commit -m "add binary file" # change the binary file and set property to non binary value -echo -e "\x20\x01\x02\x20" > file11 +printf "\x20\x01\x02\x20\n" > file11 svn ps prop2 propval2 file9 svn commit -m "change binary file" ++++++ subversion-1.8.14-httpd-version-number-detection.patch ++++++ diff -ur subversion-1.8.14.orig/build/ac-macros/apache.m4 subversion-1.8.14/build/ac-macros/apache.m4 --- subversion-1.8.14.orig/build/ac-macros/apache.m4 Mon Jul 27 02:23:40 2015 +++ subversion-1.8.14/build/ac-macros/apache.m4 Tue Jul 28 11:08:30 2015 @@ -164,7 +164,7 @@ if ! test -e $HTTPD ; then HTTPD="`$APXS -q bindir`/`$APXS -q PROGNAME`" fi - HTTPD_VERSION=["`$HTTPD -v | $SED -e 's@^.*/\([0-9.]*\)\(.*$\)@\1@ ; 1q'`"] + HTTPD_VERSION=["`$HTTPD -v | $SED -e 's/^.*Apache\/\([0-9.]*\).*$/\1/' -e 1q`"] AC_ARG_ENABLE(broken-httpd-auth, AS_HELP_STRING([--enable-broken-httpd-auth], [Allow building against httpd 2.4 with broken auth]), ++++++ subversion-1.8.9-allow-httpd-2.4.6.patch ++++++ From: Andreas Stieger <[email protected]> Date: Wed, 07 May 2014 20:55:04 +0100 Subject: Allow building against blacklisted Apache httpd 2.4.6 References: [bnc#864308] Upstream: no Apache httpd in openSUSE 13.1 is 2.4.6. The mod_dav in this version is problematic for Apache Subversion and it is blacklisted in via configure macros in the 1.8.9 release of svn and up. The relevant patches have been applied to the apache2 package in openSUSE:13.1:Update and the update has been released, [bnc#864308]. This patch enables building Subversion against this fixed package. --- build/ac-macros/apache.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: subversion-1.8.9/build/ac-macros/apache.m4 =================================================================== --- subversion-1.8.9.orig/build/ac-macros/apache.m4 2014-04-24 05:01:08.000000000 +0100 +++ subversion-1.8.9/build/ac-macros/apache.m4 2014-05-07 20:52:04.000000000 +0100 @@ -128,7 +128,7 @@ if test -n "$APXS" && test "$APXS" != "n AC_MSG_CHECKING([mod_dav version]) old_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$CPPFLAGS $SVN_APR_INCLUDES" - blacklisted_versions_regex=["\"2\" \"\.\" (\"2\" \"\.\" \"25\"|\"4\" \"\.\" \"[56]\")"] + blacklisted_versions_regex=["\"2\" \"\.\" (\"2\" \"\.\" \"25\"|\"4\" \"\.\" \"[5]\")"] AC_EGREP_CPP([apache_version= *$blacklisted_versions_regex], [ #include "$APXS_INCLUDE/ap_release.h" ++++++ subversion-no-build-date.patch ++++++ From: Andreas Stieger <[email protected]> Date: Wed, 06 Mar 2013 00:05:08 +0000 Subject: Remove volatile build information Upstream: never Prevent unneccessary rebuilds of binary packages differing only by date, time and build host. --- subversion/bindings/javahl/tests/org/apache/subversion/javahl/BasicTests.java | 4 ++-- subversion/libsvn_subr/opt.c | 8 ++------ subversion/libsvn_subr/version.c | 4 ++-- subversion/tests/cmdline/getopt_tests_data/svn--version--verbose_stdout | 1 - subversion/tests/cmdline/getopt_tests_data/svn--version_stdout | 1 - 5 files changed, 6 insertions(+), 12 deletions(-) Index: subversion-1.8.9/subversion/bindings/javahl/tests/org/apache/subversion/javahl/BasicTests.java =================================================================== --- subversion-1.8.9.orig/subversion/bindings/javahl/tests/org/apache/subversion/javahl/BasicTests.java 2014-05-07 20:10:17.000000000 +0100 +++ subversion-1.8.9/subversion/bindings/javahl/tests/org/apache/subversion/javahl/BasicTests.java 2014-05-07 20:10:26.000000000 +0100 @@ -140,10 +140,10 @@ public class BasicTests extends SVNTests { VersionExtended vx = client.getVersionExtended(false); String result = vx.getBuildDate(); - if (result == null || result.trim().length() == 0) + if (result == null) throw new Exception("Build date empty"); result = vx.getBuildTime(); - if (result == null || result.trim().length() == 0) + if (result == null) throw new Exception("Build time empty"); result = vx.getBuildHost(); if (result == null || result.trim().length() == 0) Index: subversion-1.8.9/subversion/libsvn_subr/opt.c =================================================================== --- subversion-1.8.9.orig/subversion/libsvn_subr/opt.c 2014-05-07 20:10:17.000000000 +0100 +++ subversion-1.8.9/subversion/libsvn_subr/opt.c 2014-05-07 20:10:26.000000000 +0100 @@ -1114,12 +1114,8 @@ svn_opt__print_version_info(const char * if (quiet) return svn_cmdline_printf(pool, "%s\n", SVN_VER_NUMBER); - SVN_ERR(svn_cmdline_printf(pool, _("%s, version %s\n" - " compiled %s, %s on %s\n\n"), - pgm_name, SVN_VERSION, - svn_version_ext_build_date(info), - svn_version_ext_build_time(info), - svn_version_ext_build_host(info))); + SVN_ERR(svn_cmdline_printf(pool, _("%s, version %s\n\n"), + pgm_name, SVN_VERSION)); SVN_ERR(svn_cmdline_printf(pool, "%s\n", svn_version_ext_copyright(info))); if (footer) Index: subversion-1.8.9/subversion/libsvn_subr/version.c =================================================================== --- subversion-1.8.9.orig/subversion/libsvn_subr/version.c 2014-05-07 20:10:17.000000000 +0100 +++ subversion-1.8.9/subversion/libsvn_subr/version.c 2014-05-07 20:10:26.000000000 +0100 @@ -132,8 +132,8 @@ svn_version_extended(svn_boolean_t verbo { svn_version_extended_t *info = apr_pcalloc(pool, sizeof(*info)); - info->build_date = __DATE__; - info->build_time = __TIME__; + info->build_date = ""; + info->build_time = ""; info->build_host = SVN_BUILD_HOST; info->copyright = apr_pstrdup (pool, _("Copyright (C) 2015 The Apache Software Foundation.\n" Index: subversion-1.8.9/subversion/tests/cmdline/getopt_tests_data/svn--version--verbose_stdout =================================================================== --- subversion-1.8.9.orig/subversion/tests/cmdline/getopt_tests_data/svn--version--verbose_stdout 2014-05-07 20:10:17.000000000 +0100 +++ subversion-1.8.9/subversion/tests/cmdline/getopt_tests_data/svn--version--verbose_stdout 2014-05-07 20:10:26.000000000 +0100 @@ -1,5 +1,4 @@ svn, version 1.8.0-dev (under development) - compiled Sep 10 2012, 14:00:24 on i386-apple-darwin11.4.0 Copyright (C) 2012 The Apache Software Foundation. This software consists of contributions made by many people; Index: subversion-1.8.9/subversion/tests/cmdline/getopt_tests_data/svn--version_stdout =================================================================== --- subversion-1.8.9.orig/subversion/tests/cmdline/getopt_tests_data/svn--version_stdout 2014-05-07 20:10:17.000000000 +0100 +++ subversion-1.8.9/subversion/tests/cmdline/getopt_tests_data/svn--version_stdout 2014-05-07 20:10:26.000000000 +0100 @@ -1,5 +1,4 @@ svn, version 0.16.0 (r3987) - compiled Dec 5 2002, 00:02:51 Copyright (C) 2010 The Apache Software Foundation. This software consists of contributions made by many people; ++++++ subversion-swig-perl-install_vendor.patch ++++++ Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: subversion-1.8.0-rc2/Makefile.in =================================================================== --- subversion-1.8.0-rc2.orig/Makefile.in 2013-05-14 20:24:53.000000000 +0100 +++ subversion-1.8.0-rc2/Makefile.in 2013-05-14 20:24:54.000000000 +0100 @@ -780,7 +780,7 @@ check-swig-pl: swig-pl swig-pl-lib cd $(SWIG_PL_DIR)/native; $(MAKE) test install-swig-pl: swig-pl install-swig-pl-lib - cd $(SWIG_PL_DIR)/native; $(MAKE) install + cd $(SWIG_PL_DIR)/native; $(MAKE) install_vendor EXTRACLEAN_SWIG_PL=rm -f $(SWIG_PL_SRC_DIR)/native/svn_*.c \ $(SWIG_PL_SRC_DIR)/native/core.c ++++++ subversion.README.SuSE ++++++ Quickstart document for Apache Subversion on openSUSE. For the full documentation, install the package subversion-doc and see /usr/share/doc/packages/subversion/html/book/svn-book.html An online version can be found at http://svnbook.red-bean.com/ Topics: 0. upgrading to Apache Subversion 1.8 1. mini-howto 2. allowing anonymous read access 3. serving several repositories with SVNParentPath 4. serving the repositories at "/" 5. running svnserve 6. quickstart for mod_dontdothat ================================================================================ 0. upgrading to Apache Subversion 1.8 - concerns when upgrading from earlier versions * Upgrading the Working Copy 1.8 introduces a new working copy format. One-time execution of "svn upgrade" required. After that, clients earlier than 1.8 will be unable to use the working copy. Working copy must have been created using 1.6 or 1.7. For details, please see: https://subversion.apache.org/docs/release-notes/1.8.html#wc-upgrade * Upgrading the Repository 1.8 can read and write repositories created by earlier versions. "svnadmin upgrade" may be used to upgrade to FSFS format 6 of 1.8, after which the repository will be no longer be usable for 1.7 servers. An optional dump/load cycle may be used to apply FSFS improvements to past revisions. https://subversion.apache.org/docs/release-notes/1.8.html#compatibility https://subversion.apache.org/docs/release-notes/1.8.html#fsfs-enhancements * Required configuration changes when using mod_dav_svn with Apache httpd2: The MaxKeepAliveRequests option in httpd.conf needs to be increased from 100 (the default) to at least 1000 (there is no reason why it could not be 10000). This will improve performance by allowing serf clients to use fewer TCP connections to the server. Clients using neon will also work fine with this configuration. ================================================================================ 1. mini-howto To run a subversion server, you need to configure apache2 to load two modules: mod_dav and mod_dav_svn. zypper in subversion-server a2enmod dav a2enmod dav_svn A default/example configuration of the dav_svn module can be found in /etc/apache2/conf.d/subversion.conf. The current default configuration automatically includes this file the default server configuration. The MaxKeepAliveRequests option in httpd.conf needs to be increased from 100 (the default) to at least 1000 (there is no reason why it could not be 10000). This will improve performance by allowing serf clients to use fewer TCP connections to the server. Clients using neon will also work fine with this configuration. Create some directories to contain the repositories and other files: mkdir -p /srv/svn/repos mkdir -p /srv/svn/user_access mkdir -p /srv/svn/html Edit /etc/apache2/conf.d/subversion.conf and uncomment the desired sections. The first section "project related HTML files" is optional and will allow you to return some static content when /repos is accessed alone. If you do not need this, discard this section. If instead you wish to show a list of repositories, set "SVNListParentPath on" later. See for details: http://svnbook.red-bean.com/en/1.8/svn.serverconfig.httpd.html#svn.serverconfig.httpd.extra.browsing.reposlisting The section following that will configure a repository to be served out of the path /srv/svn/repos/myproject1. Note that the location "/repo/myproject1" and "SVNPath" is specified explicitly, see section 3 for an alternative. To create the repository itself: cd /srv/svn/repos svnadmin create project1 chown -R wwwrun:www project1/{db,locks} If using svnserve is not planned, /srv/svn/repos may be owned by wwrun:www. Otherwise see instruction in the svnserve section on how to use the user and group svn. The webserver must be (re)started: rcapache2 restart To create the user access files: touch /srv/svn/user_access/project1_passwdfile chown root:www /srv/svn/user_access/project1_passwdfile chmod 640 /srv/svn/user_access/project1_passwdfile htpasswd2 /srv/svn/user_access/project1_passwdfile user1 htpasswd2 /srv/svn/user_access/project1_passwdfile user2 Create the group file for project1: /srv/svn/user_access/project1_groupfile project1_committers: user2 project1_readers: user1 user2 You can test access by: svn info http://127.0.0.1/repos/project1 ================================================================================ 2. allowing anonymous read access To allow anonymous read access, remove the <Limit GET...> section and move the three Auth* statements into the <LimitExcept GET...> section. ================================================================================ 3. serving several repositories with SVNParentPath When serving several repositories, instead of specifying each location with SVNPath in a separate location, you can use SVNParentPath with a single location. Change the <Location ...> directive form the template to start with the following: <Location /repos/> DAV svn SVNParentPath /srv/svn/repos SVNListParentPath on Do not forget to restart the apache service to make the configuration effective. service apache2 restart ================================================================================ 4. serving the repositories at "/" Include the configuration into the relevant vhost configuration. Uncomment the section in the template files labeled 'Hosting svn at "/"' and adjust as required. Note that this example uses "SVNParentPath" as given in the previous section. ================================================================================ 5. running svnserve Subversion repositories can be via the svnserve daemon and a special network protocol. svnserve should not run as root user. The startup scripts expects a user/group named 'svn', configureable via /etc/sysconfig/svnserve. The subversion package now creates a user and group svn. If you want to expose the repository via both svnserve and mod_dav_svn (Apache httpd) in parallel, ensure that the apache user is part of the svn group. usermod -A svn wwwrun This requires a restart of the apache2 service to become effective. Change the permissions to let the svn group write, and set the setgid flag on the repositories. chown -R svn:svn /srv/svn/repos chmod -R g+ws /srv/svn/repos Then proceed to create repositories using svnadmin create described above. In either case, if using svnserve, ensure that the repositories are owned by svn:svn. The settings files with the options passed to the daemon is is located in: /etc/sysconfig/svnserve To start, ensure proper ownership of repositories and run: service svnserve start For further information about multi-method repository access, see http://svnbook.red-bean.com/en/1.8/svn.serverconfig.multimethod.html You can test repository access by: svn info svn://127.0.0.1/project1 Please note that by default, svnserve is configured to be started with -R, meaning read-only access only. Remove to allow write access, after you have configured access via /srv/svn/repos/repo1/conf/svnserve.conf To configue authentication for svnserve, see http://svnbook.red-bean.com/en/1.8/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth ================================================================================ 6. quickstart for mod_dontdothat The apache module mod_dontdothat can be used to prevent users from causing high load on the server, e.g. checking out the root of the tree or the tags or branches directories. Make sure mod_dontdothat is loaded: $ a2enmod dontdothat Add configuration for the module, e.g. <Location /> DAV svn SVNParentPath /srv/svn/repos/ SVNListParentPath on # [...other configuration...] <IfModule mod_dontdothat.c> DontDoThatConfigFile /srv/svn/mod_dontdothat.config DontDoThatDisallowReplay off </IfModule> </Location> Restart apache to make the change effective. A fairly standard file /srv/svn/mod_dontdothat.config may contain: [recursive-actions] /*/trunk = allow / = deny /* = deny /*/tags = deny /*/branches = deny /*/* = deny /*/*/tags = deny /*/*/branches = deny This allows checking out of /trunk and each branch, but disallows checking out all branches or the complete repository at once. ++++++ subversion.conf ++++++ # Example configuration for a subversion repository # Install the package subversion-doc and see # /usr/share/doc/packages/subversion for the full documentation # An online version can be found at http://svnbook.red-bean.com/ # <IfModule mod_dav_svn.c> ## ## project related HTML files ## #<IfModule mod_alias.c> #Alias /repos /srv/svn/html #</IfModule> #<Directory /srv/svn/html> # Options +Indexes +Multiviews -FollowSymLinks # IndexOptions FancyIndexing \ # ScanHTMLTitles \ # NameWidth=* \ # DescriptionWidth=* \ # SuppressLastModified \ # SuppressSize # # order allow,deny # allow from all #</Directory> #<Location /repos/myproject1> # DAV svn # SVNPath /srv/svn/repos/myproject1 # # AuthType Basic # AuthName "Authorization Realm" # AuthUserFile /srv/svn/user_access/myproject1_passwdfile # AuthGroupFile /srv/svn/user_access/myproject1_groupfile # # # Limit read access to certain people # <Limit GET PROPFIND OPTIONS REPORT> # # uncomment to require SSL connection for password protection. # # SSLRequireSSL # Require group project1_committers # Require group project1_readers # </Limit> # # # Limit write permission to list of valid users. # <LimitExcept GET PROPFIND OPTIONS REPORT> # # uncomment to require SSL connection for password protection. # # SSLRequireSSL # Require group project1_committers # </LimitExcept> # #</Location> ## ## Hosting svn at "/" ## #<VirtualHost *> # ServerName svn.example.com # ErrorLog /var/log/apache2/svn.example.com-error_log # TransferLog /var/log/apache2/svn.example.com-access_log # # # # Do not set DocumentRoot. It is not needed here and just causes trouble. # # # # Map the error documents back to their defaults. # # Otherwise mod_dav_svn tries to find a "error" repository. # # # ErrorDocument 400 default # ErrorDocument 401 default # ErrorDocument 403 default # ErrorDocument 404 default # ErrorDocument 405 default # ErrorDocument 408 default # ErrorDocument 410 default # ErrorDocument 411 default # ErrorDocument 412 default # ErrorDocument 413 default # ErrorDocument 414 default # ErrorDocument 415 default # ErrorDocument 500 default # ErrorDocument 501 default # ErrorDocument 502 default # ErrorDocument 503 default # # # <Location /> # DAV svn # SVNParentPath /srv/svn/repos/ # SVNListParentPath on # AuthType Basic # AuthName "subversion repository" # AuthBasicProvider file # AuthUserFile /srv/svn/auth/svn.example.org.htpasswd # SetOutputFilter DEFLATE # <LimitExcept GET PROPFIND OPTIONS REPORT> # Require valid-user # </LimitExcept> # # # # Optional configuration for mod_dontdothat # # prevent users from causing high load on the server, e.g. checking out # # the root of the tree or the tags or branches directories # # # #<IfModule mod_dontdothat.c> # # DontDoThatConfigFile /srv/svn/mod_dontdothat.config # # DontDoThatDisallowReplay off # #</IfModule> # </Location> #</VirtualHost> </IfModule> ++++++ subversion.keyring ++++++ ++++ 13754 lines (skipped) ++++++ subversion.libtool-pie-flags.patch ++++++ --- Makefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: subversion-nightly/Makefile.in =================================================================== --- subversion-nightly.orig/Makefile.in 2013-03-17 20:02:10.000000000 +0000 +++ subversion-nightly/Makefile.in 2013-03-17 20:02:15.000000000 +0000 @@ -228,8 +228,8 @@ libsvn_subr_LDFLAGS = @libsvn_subr_LDFLA libsvn_wc_LDFLAGS = @libsvn_wc_LDFLAGS@ # Compilation of SWIG-generated C source code -COMPILE_PY_WRAPPER = $(LIBTOOL) $(LTFLAGS) --mode=compile $(SWIG_PY_COMPILE) $(LT_CFLAGS) $(CPPFLAGS) $(SWIG_PY_INCLUDES) -prefer-pic -c -o $@ -COMPILE_RB_WRAPPER = $(LIBTOOL) $(LTFLAGS) --mode=compile $(SWIG_RB_COMPILE) $(LT_CFLAGS) $(CPPFLAGS) $(SWIG_RB_INCLUDES) -prefer-pic -c -o $@ +COMPILE_PY_WRAPPER = $(LIBTOOL) $(LTFLAGS) --mode=compile $(SWIG_PY_COMPILE) $(LT_CFLAGS) $(CPPFLAGS) $(SWIG_PY_INCLUDES) -fpie -fPIE -prefer-pic -c -o $@ +COMPILE_RB_WRAPPER = $(LIBTOOL) $(LTFLAGS) --mode=compile $(SWIG_RB_COMPILE) $(LT_CFLAGS) $(CPPFLAGS) $(SWIG_RB_INCLUDES) -fpie -fPIE -prefer-pic -c -o $@ # these commands link the wrapper objects into an extension library/module LINK_PY_WRAPPER = $(LIBTOOL) $(LTFLAGS) --mode=link $(SWIG_PY_LINK) $(SWIG_LDFLAGS) -rpath $(swig_pydir) -avoid-version -module ++++++ subversion.libtool-verbose.patch ++++++ --- Makefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: subversion-nightly/Makefile.in =================================================================== --- subversion-nightly.orig/Makefile.in 2013-03-15 12:21:46.000000000 +0000 +++ subversion-nightly/Makefile.in 2013-03-17 20:02:04.000000000 +0000 @@ -112,8 +112,8 @@ EXEEXT = @EXEEXT@ SHELL = @SHELL@ LIBTOOL = @SVN_LIBTOOL@ -LTFLAGS = --tag=CC --silent -LTCXXFLAGS = --tag=CXX --silent +LTFLAGS = --tag=CC +LTCXXFLAGS = --tag=CXX LT_CFLAGS = @LT_CFLAGS@ LT_LDFLAGS = @LT_LDFLAGS@ LT_SO_VERSION = @SVN_LT_SOVERSION@ ++++++ subversion.perl.LD_RUN_PATH.patch ++++++ clear LD_RUN_PATH, it will end up as RPATH in ELF binaries ERROR: RPATH "/usr/src/packages/BUILD/subversion-1.5.x/subversion/libsvn_subr/.libs" on /var/tmp/subversion-1.5.0-build/usr/lib/perl5/vendor_perl/5.10.0/ppc-linux-thread-multi-64int/auto/SVN/_Wc/_Wc.so is not allowed --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: subversion-1.8.0-rc2/Makefile.in =================================================================== --- subversion-1.8.0-rc2.orig/Makefile.in 2013-05-14 20:25:00.000000000 +0100 +++ subversion-1.8.0-rc2/Makefile.in 2013-05-14 20:25:01.000000000 +0100 @@ -760,7 +760,7 @@ $(SWIG_PL_DIR)/native/Makefile.PL: $(SWI ./config.status subversion/bindings/swig/perl/native/Makefile.PL $(SWIG_PL_DIR)/native/Makefile: $(SWIG_PL_DIR)/native/Makefile.PL - cd $(SWIG_PL_DIR)/native; $(PERL) Makefile.PL + cd $(SWIG_PL_DIR)/native; $(PERL) Makefile.PL ; for i in `grep -wl ^LD_RUN_PATH Makefile Makefile.[^P]*` ; do sed -i 's@^LD_RUN_PATH.*@LD_RUN_PATH=@' $$i ; done # There is a "readlink -f" command on some systems for the same purpose, # but it's not as portable (e.g. Mac OS X doesn't have it). These should ++++++ subversion.rcsvnserve ++++++ #! /bin/sh # Copyright (c) 1995-2011 SuSE Linux AG, Nuernberg, Germany. # All rights reserved. # # /etc/init.d/svnserve # and its symbolic link # /usr/sbin/rcsvnserve # # LSB compatible service control script; see http://www.linuxbase.org/spec/ # # Note: This script uses functions rc_XXX defined in /etc/rc.status on # UnitedLinux (UL) based Linux distributions. If you want to base your # script on this template and ensure that it works on non UL based LSB # compliant Linux distributions, you either have to provide the rc.status # functions from UL or change the script to work without them. ### BEGIN INIT INFO # Provides: svnserve # Required-Start: # Should-Start: $time ypbind sendmail $syslog $remote_fs # Required-Stop: $syslog $remote_fs # Should-Stop: $time ypbind sendmail # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: svnserve # Description: readonly access to a subversion repository ### END INIT INFO # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) # # Note on script names: # http://www.linuxbase.org/spec/refspecs/LSB_1.2.0/gLSB/scrptnames.html # A registry has been set up to manage the init script namespace. # http://www.lanana.org/ # Please use the names already registered or register one or use a # vendor prefix. # Check for missing binaries (stale symlinks should not happen) SVNSERVE_BIN=/usr/bin/svnserve test -x $SVNSERVE_BIN || exit 5 # Check for existence of needed config file and read it SVNSERVE_CONFIG=/etc/sysconfig/svnserve test -r $SVNSERVE_CONFIG || exit 6 . $SVNSERVE_CONFIG # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks # rc_splash arg sets the boot splash screen to arg (if active) . /etc/rc.status # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. case "$1" in start) echo -n "Starting svnserve " ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. UID_ENT="$(/usr/bin/getent passwd $SVNSERVE_USERID)" GID_ENT="$(/usr/bin/getent group $SVNSERVE_GROUPID)" if test -z "$SVNSERVE_USERID" -o -z "$UID_ENT" then echo echo "User $SVNSERVE_USERID does not exist." echo "Please check $SVNSERVE_CONFIG before starting this service." rc_failed elif test -z "$SVNSERVE_GROUPID" -o -z "$GID_ENT" then echo echo "Group $SVNSERVE_GROUPID does not exist." echo "Please check $SVNSERVE_CONFIG before starting this service." rc_failed else startproc -u "$SVNSERVE_USERID" -g "$SVNSERVE_GROUPID" -e $SVNSERVE_BIN $SVNSERVE_OPTIONS fi # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down svnserve " ## Stop daemon with killproc(8) and if this fails ## killproc sets the return value according to LSB. killproc -TERM $SVNSERVE_BIN # Remember status and be verbose rc_status -v ;; try-restart) ## Do a restart only if the service was active before. ## Note: try-restart is not (yet) part of LSB (as of 1.2) $0 status >/dev/null && $0 restart # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) echo -n "Reload service svnserve " $0 stop && $0 start #rc_status ;; status) echo -n "Checking for service svnserve " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. checkproc $SVNSERVE_BIN # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload}" exit 1 ;; esac rc_exit ++++++ subversion.rpmlintrc ++++++ # libsvn_subr calls exit as part of the default malfunction handler. # That's OK. Library users are expected to override the default handler. addFilter("subversion.*shared-lib-calls-exit.*libsvn_subr-1.so.*") ++++++ subversion.svndiff.sh ++++++ #!/bin/bash # stupid svn has no 'svn diff -v -R $bignum' to grab all info for a single patch export TZ=UTC export LANG=C export LC_ALL=C shopt -s extglob case "$1" in r+([0-9])) rev=${1#?} shift ;; +([0-9])) rev=$1 shift ;; esac if test -z "$rev" then echo "Usage: $0 <svnrepo revision number>" exit 1 fi revprev=$(($rev - 1 )) svn log -v -r $rev "$@" svn diff -r $revprev:$rev "$@" ++++++ subversion.svngrep.sh ++++++ #!/bin/sh find \( -path '*/.pc' -o -path '*/.svn' -o -path '*/.git' -o -path '*/.hg' \) -prune -o -type f -print0 | xargs -0 grep "$@" ++++++ subversion.sysconfig.svnserve ++++++ ## Path: Network/Subversion/svnserve ## Description: Basic configuration for svnserve ## Type: string ## Default "-d -R -r /srv/svn/repos" # # Default options for the svnserve process. # The -R option enforces read-only access, i.e. write operations to the # repository (such as commits) will not be allowed. # Authentication should be configured before allowing write access. # See http://svnbook.red-bean.com/en/1.8/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth # SVNSERVE_OPTIONS="-d -R -r /srv/svn/repos" ## Type: string ## Default "svn" # # svnserve should run as unprivileged user. # If you want to expose the repository via both svnserve and mod_dav_svn # (Apache httpd) in parallel, ensure that the apache user is part of the # svn group and the setgid flag is set on the repositories # usermod -A svn wwwrun # chmod -R g+s /srv/svn/repos # See http://svnbook.red-bean.com/en/1.8/svn.serverconfig.multimethod.html # SVNSERVE_USERID="svn" ## Type: string ## Default "svn" # # svnserve should run as unprivileged user. # If you want to expose the repository via both svnserve and mod_dav_svn # (Apache httpd) in parallel, ensure that the apache user is part of the # svn group and the setgid flag is set on the repositories # usermod -A svn wwwrun # chmod -R g+s /srv/svn/repos # See http://svnbook.red-bean.com/en/1.8/svn.serverconfig.multimethod.html # SVNSERVE_GROUPID="svn" ++++++ subversion.sysconfig.svnserve.remoteaccess ++++++ ## Name: svnserve ## Description: Open ports for svnserve TCP="svn" ++++++ subversion.xinetd.svnserve ++++++ # default: off # description: readonly access to a subversion repository service svn { disable = yes socket_type = stream protocol = tcp wait = no user = svn group = svn groups = yes server = /usr/bin/svnserve server_args = --read-only --root=/srv/svn/repos --inetd } ++++++ svnserve.service ++++++ [Unit] Description=Subversion protocol daemon After=syslog.target network.target [Service] Type=forking EnvironmentFile=/etc/sysconfig/svnserve User=svn Group=svn PIDFile=/var/run/svnserve/svnserve.pid ExecStart=/usr/bin/svnserve --daemon --pid-file=/var/run/svnserve/svnserve.pid $SVNSERVE_OPTIONS [Install] WantedBy=multi-user.target ++++++ svnserve.tmpfiles ++++++ D /var/run/svnserve 0755 svn svn -
