If you run an svn checkout on the production server, I don't see how that is more insecure than plugging in a removable drive. Just do svn+ssh and type the password when you do svn up. It will be a great time saver. If someone compromises your svn repo, you always have the option to not do svn up on the server, as you will be able to see any unauthorized changes in the history. If someone compromises your production server, they will be able to do a lot more to break your server, and the flash drive vs svn checkout shouldn't be an issue at that point.
If it is the requirement of having your development network connected to the internet that the management is skiddish about, just have one machine that doesn't do nat between the development network and everything else. Have it host your svn repo, and have it run **only** ssh. On the outside, restrict it to only let logins from the server(s) that will be doing the svn up. I think that the (very very low) security risk in that setup will be a wonderful time saver for you, and definitely worth it. Jeff Anderson Ken Snyder wrote: > I am programming in a somewhat common security setup where the > development network is not connected to outside networks. There are > only two ways to copy deployments to test and production: removable > media and a copy script using a Linux server that pushes files from > dev to production or production to dev. > > We developers would like to make our weekly deployments by simply > having the production machines svn checkout and svn update from our > svn release branch. However, technically minded upper managers see > such a network setup as too insecure. The developers are interested > in saving time as our weekly deployments span 25 to 50 files per week > across several web applications. > > Is the time savings worth the security risk? > > > - Ken Snyder > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ >
signature.asc
Description: OpenPGP digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
