Re: ASF Subversion version
That really is unfortunate to hear about the lack of funding. I see in the past few years there has been a lot of work done on the conflict resolver in version 10 and multiple stash implementations in versions 11+. Are those efforts being driven by people just working on it in their “spare time”? Luke > On Dec 11, 2021, at 10:21 AM, Stefan Sperling wrote: > > On Sat, Dec 11, 2021 at 06:59:31AM -0600, Luke Mauldin wrote: >> Does the subversion project receive any funding from the ASF to hire >> professional developers to complete more complex tasks or is development 100% >> community driven and supported? > > The ASF does not pay anyone for development. I think this is an unfortunate > situation because many ASF projects slowly die off as funding dries up. > I believe the ASF is unlikely to change this long-standing practice, even > though there are other open source foundations which fund developers. > The FreeBSD and OpenBSD foundations pay some development (see their > financial reports), and apparently a new PHP foundataion is starting up > with the sole purpose of funding PHP developers. > > In the past many SVN developers were employed by companies who ran with > business models related to Subversion. This is the funding model the ASF > is promoting. However, as of a few years ago most such companies changed > direction and are no longer employing any SVN developers. Many people have > moved on as a result and are no longer active. > > (Disclaimer: I still receive a small amount of indirect SVN-related funding > via elego's SVN customer support. I occasionally use some of this time > to work on various things in Subversion, even though this budget is not > intended to fund development beyond customer-specific issues which can > only be fixed in the code base. And it is not enough to cover complex tasks.)
Re: CVE-2021-44228 log4j vulnerability
On Sun, 12 Dec 2021 15:30:20 +0300, Pavel Lyalyakin wrote: >Apache Subversion and Apache HTTP Server are not Java applications. >Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not >depend on log4j either. Sounds good. We are using VisualSVN on our main SVN server running on Windows Server 2016: H:\>svnadmin --version svnadmin, version 1.9.7 (r1800392) compiled Nov 21 2017, 12:52:53 on x86_64-microsoft-windows6.1.7601 It has no exposure to the Internet, just sits on the LAN. We have a backup server off-site running on Ubuntu Server 20.04.3: $ svnadmin --version svnadmin, version 1.13.0 (r1867053) compiled Mar 24 2020, 12:33:36 on x86_64-pc-linux-gnu The latter is svnsync'ed from VisualSVN every night and is fully updated. It has no public interface, set to readonly except for the svnsync calls. Do we need to do anything for the "log4j" vulnerability? -- Bo Berglund Developer in Sweden
Re: CVE-2021-44228 log4j vulnerability
On Sun, Dec 12, 2021 at 7:31 AM Pavel Lyalyakin wrote: > > On Sun, Dec 12, 2021 at 5:34 AM surbhi khandelwal wrote: >> >> Hi >> >> I am using svn, version 1.6.11 (r934486) on rhel 1.6 could you kindly help >> me understand if this is vulnerable to the latest java vulnaribility >> >> >> Httpd version im using is 2.2.15 >> >> Looking for your help >> >> > > Apache Subversion and Apache HTTP Server are not Java applications. > Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not > depend on log4j either. > > Note that you are using outdated Subversion and Apache HTTP Server versions. > They are affected by numerous issues, and you should consider upgrading to > supported versions. The most recent versions are Subversion 1.14.1 and Apache > HTTP Server 2.4.51. I was typing up the same reply ... neither Subversion nor httpd would be directly impacted by this but you are running old versions with other problems so you should look to upgrade. The log4j vulnerability only impacts apps that use a JVM, so in terms of Subversion you would probably just want to look for any web apps you might be using with your Subversion server such as a repository browser or other tool that is written in Java. But a vanilla Subversion server (or client) should be fine. Mark
Re: CVE-2021-44228 log4j vulnerability
On Sun, Dec 12, 2021 at 5:34 AM surbhi khandelwal wrote: > Hi > > I am using svn, version 1.6.11 (r934486) on rhel 1.6 could you kindly > help me understand if this is vulnerable to the latest java vulnaribility > > > Httpd version im using is 2.2.15 > > Looking for your help > > > Apache Subversion and Apache HTTP Server are not Java applications. Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not depend on log4j either. Note that you are using outdated Subversion and Apache HTTP Server versions. They are affected by numerous issues, and you should consider upgrading to supported versions. The most recent versions are Subversion 1.14.1 and Apache HTTP Server 2.4.51. -- With best regards, Pavel Lyalyakin VisualSVN Team
