subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Kadel-Garcia <>
Subject Re: Protected/secure SVN
Date Wed, 13 May 2015 00:34:01 GMT
On Tue, May 12, 2015 at 8:30 AM, D Ste <> wrote:
> Hi,
> I would like to set up SVN to store confidential documents.
> I have secured the pipe communication with HTTPS/SSL.  To avoid unauthorized
> users (even with root access) accessing documents from within the server, I
> would like to protect the SVN linux folder/files with encryption.

Thee are a stack of problem not unique to Subversion:

1) Whoever has your backups owns your content. This can be reduced
with encrypted filesystems and encrypted backups, but it's a basic
service side problem.
2) Subversion clients still save passphrases by default, with no way
for the server to force clients to use mandatory password entry or
force client-side wallet based encryption. Until and unless someone
gets something working like multi-user svn+ssh based access with
Kerberos tickets, or wields genuine Kerberos tickets into svnserve or
enforces Kerberos ticket use for Apache access, almost all setups will
leave you vulnerable to clients storing credentials poorly. Even SSH
key based or SSL key based access doesn't solve this problem, because
clients can and will store their credentials without protections, no
matter what you tell them and no matter what you have them sign.
3) Actually storing encrypted files in SVN will inevitably mean
storing binaries. Each small change in such a file will inevitably
involve a large difference form the previously stored encrypted file,
meaining a lot of resources for every change. and Subversion is
*horrible* about expiring old, unwanted files. The "svn obliterate" is
one of the most requested features, and has been consistently rejected
since..... well, since its first releases over a decade ago.

> Are there any ways to secure the SVN using protected folders or encryption?
> So only authorized users can access these confidential documents.
> Thanks in advance for your helps.

Yes, but there are limits. Be aware of them.

View raw message