On Thu, Feb 16, 2017 at 06:52:57PM -0500, Adam Jensen wrote: > On Thu, 16 Feb 2017 14:03:57 -0800 > Konstantin Olchanski <olcha...@triumf.ca> wrote: > [snip] > > For secure access, you must use passwords (unless you export read-only repo) > > and to have passwords, you must use encrypted connection (https). Simplest > > https setup with password is through apache httpd. > > svnserve has password based access control, and data-stream encryption is > available through SASL. >
I will bite. I know apache httpd https and password protection are considered secure. I do not know such a thing about svnserve (with or without SASL, which is just a layer on top of https, the best I can tell). In other words, is there anybody who would vouch for the security of bare svnserve (with SASL or whatever)? For apache httpd and with https (SSL/TLS) there is a database of attacks, exploits and weaknesses and solutions to them, security bulletins from respected vendors stating that all known attacks and weaknesses are resolved, automatic tools to check for bad security configuration (ssllabs scanner). Is there anything like this for svnserve? Even one CVE? No? Then it is secure because it is obscure? -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
