Mailing List Archive: SVN access using https?

SVN access using https?

jens at dataflake

Jul 17, 2005, 3:42 AM

Post #1 of 11 (3884 views)

Hi guys,

I noticed that right now the SVN repositories on svn.zope.org can
only be accessed using the "svn" and "svn+ssh" protocols. It occurred
to me that by enabling "http" and "https" and going away from "svn"
and "svn+ssh" a big win can be had in terms of administration.

- no need for machine accounts for developers
- no need for clunky SSH key management
- hook directly into existing authentication databases (LDAP of
course ;)

In a different situation (a Apache-based webmail setup where all
underlying mail components hook into LDAP for account and
configuration data) I have used mod_authz_ldap successfully to re-use
existing mail system authentication data for protecting access to the
webmail site.

Since we already have LDAP as the basis for www.zope.org login
information it should not be hard to add an attribute to
contributors' records that can be used to determine access to e.g.
"https://svn.zope.org/svn" as a front door to the main repo or even
specific sub-projects.

I'm hoping to flesh that out more when I complete migrating my own
repositories to SVN in the next couple weeks.

jens

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

Jul 17, 2005, 4:24 AM

Post #2 of 11 (3789 views)

Jens Vagelpohl wrote:
> Hi guys,
>
> I noticed that right now the SVN repositories on svn.zope.org can only
> be accessed using the "svn" and "svn+ssh" protocols. It occurred to me
> that by enabling "http" and "https" and going away from "svn" and
> "svn+ssh" a big win can be had in terms of administration.
>
> - no need for machine accounts for developers
> - no need for clunky SSH key management

The key management doesn't have to be so clunky. It's a shame
the current app is so bad, but not *quite* bad enough to make us
write a netter one.

> - hook directly into existing authentication databases (LDAP of course ;)
>
> In a different situation (a Apache-based webmail setup where all
> underlying mail components hook into LDAP for account and configuration
> data) I have used mod_authz_ldap successfully to re-use existing mail
> system authentication data for protecting access to the webmail site.
>
> Since we already have LDAP as the basis for www.zope.org login
> information it should not be hard to add an attribute to contributors'
> records that can be used to determine access to e.g.
> "https://svn.zope.org/svn" as a front door to the main repo or even
> specific sub-projects.
>
> I'm hoping to flesh that out more when I complete migrating my own
> repositories to SVN in the next couple weeks.

I suggest trying https and seeing how you like it. In reading
about it, it seems awful. It's been a while since I read about it,
but it either involved entering passwords on every action or
storing passwords in clear text. I fine SSH, once set up, to be much
cleaner, easier, and more secure.

I don't think that making the repository available via http would be
a bad idea. I'm just too lazy to set it up. :)

Perhaps when the foundation is set up, someone else can take over svn
and make improvements like setting up http access or getting rid of the
BDB back end.

Jim

--
Jim Fulton mailto:jim@zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

jens at dataflake

Jul 17, 2005, 4:54 AM

Post #3 of 11 (3784 views)

On 17 Jul 2005, at 13:24, Jim Fulton wrote:
>> - no need for clunky SSH key management
>
> The key management doesn't have to be so clunky. It's a shame
> the current app is so bad, but not *quite* bad enough to make us
> write a netter one.

You have to admit that machine accounts for everyone and a munged key
that only allows executing the cvs binary is more of a hack than
anything else...

> I suggest trying https and seeing how you like it. In reading
> about it, it seems awful. It's been a while since I read about it,
> but it either involved entering passwords on every action or
> storing passwords in clear text. I fine SSH, once set up, to be much
> cleaner, easier, and more secure.

I've been using HTTP and HTTPS (not on my own repos yet) on several
occasions and never had to e.g. re-enter passwords after the first
time. Here's a (possibly relevant) mailing list post I just dug up:

http://svn.haxx.se/users/archive-2005-02/0870.shtml

Here's what the SVN Red Book has to say about credentials caching:

http://svnbook.red-bean.com/en/1.1/ch06s02.html#svn-ch-6-sect-2.2

So credentials do seem to get stored as cleartext, in the filesystem
underneath $HOME/.subversion. Not sure how much of a problem that is,
given the fact that normally home directories are well-protected.
Unless you're using Windoze I suppose.

> I don't think that making the repository available via http would be
> a bad idea. I'm just too lazy to set it up. :)
>
> Perhaps when the foundation is set up, someone else can take over svn
> and make improvements like setting up http access or getting rid of
> the
> BDB back end.

Let's just say that it is always good to have a known responsibility
structure rather than "hm... I'll just talk to people who I know have
touched this system in the past" ;)

jens

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

Jul 17, 2005, 5:10 AM

Post #4 of 11 (3802 views)

Jens Vagelpohl wrote:
>
> On 17 Jul 2005, at 13:24, Jim Fulton wrote:
>
>>> - no need for clunky SSH key management
>>
>>
>> The key management doesn't have to be so clunky. It's a shame
>> the current app is so bad, but not *quite* bad enough to make us
>> write a netter one.
>
>
> You have to admit that machine accounts for everyone and a munged key
> that only allows executing the cvs binary is more of a hack than
> anything else...

It is a hack, in some ways. It is also extremely elegent in some ways.
We use a proven mechanism, SSH that gives us good control over what people
can do, using a single mechanism to provide both svn and cvs access.

>
>> I suggest trying https and seeing how you like it. In reading
>> about it, it seems awful. It's been a while since I read about it,
>> but it either involved entering passwords on every action or
>> storing passwords in clear text. I fine SSH, once set up, to be much
>> cleaner, easier, and more secure.
>
>
> I've been using HTTP and HTTPS (not on my own repos yet) on several
> occasions and never had to e.g. re-enter passwords after the first
> time.

BTW, because I use SSH agent, I only need to enter my passphrase
once when I start a computer session. That allows me to access
multiple SSH and CVS repository and to log into various machines
as necessary. Pretty slick if you ask me.

> Here's a (possibly relevant) mailing list post I just dug up:
>
> http://svn.haxx.se/users/archive-2005-02/0870.shtml
>
> Here's what the SVN Red Book has to say about credentials caching:
>
> http://svnbook.red-bean.com/en/1.1/ch06s02.html#svn-ch-6-sect-2.2
>
> So credentials do seem to get stored as cleartext, in the filesystem
> underneath $HOME/.subversion. Not sure how much of a problem that is,
> given the fact that normally home directories are well-protected.
> Unless you're using Windoze I suppose.

Compared to SSH key management, this seems like a huge hack to me.

Jim

--
Jim Fulton mailto:jim@zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

tino at wildenhain

Jul 17, 2005, 11:29 AM

Post #5 of 11 (3774 views)

Am Sonntag, den 17.07.2005, 12:42 +0200 schrieb Jens Vagelpohl:
> Hi guys,
>
> I noticed that right now the SVN repositories on svn.zope.org can
> only be accessed using the "svn" and "svn+ssh" protocols. It occurred
> to me that by enabling "http" and "https" and going away from "svn"
> and "svn+ssh" a big win can be had in terms of administration.
>
> - no need for machine accounts for developers
> - no need for clunky SSH key management
> - hook directly into existing authentication databases (LDAP of
> course ;)
>
> In a different situation (a Apache-based webmail setup where all
> underlying mail components hook into LDAP for account and
> configuration data) I have used mod_authz_ldap successfully to re-use
> existing mail system authentication data for protecting access to the
> webmail site.
>
> Since we already have LDAP as the basis for www.zope.org login
> information it should not be hard to add an attribute to
> contributors' records that can be used to determine access to e.g.
> "https://svn.zope.org/svn" as a front door to the main repo or even
> specific sub-projects.
>
> I'm hoping to flesh that out more when I complete migrating my own
> repositories to SVN in the next couple weeks.
>

Nice idea. Someone would have to create and maintain client
ssl certificates though....

Regards
Tino

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

tino at wildenhain

Jul 17, 2005, 11:30 AM

Post #6 of 11 (3791 views)

Am Sonntag, den 17.07.2005, 12:42 +0200 schrieb Jens Vagelpohl:
> Hi guys,
>
> I noticed that right now the SVN repositories on svn.zope.org can
> only be accessed using the "svn" and "svn+ssh" protocols. It occurred
> to me that by enabling "http" and "https" and going away from "svn"
> and "svn+ssh" a big win can be had in terms of administration.
>
> - no need for machine accounts for developers
> - no need for clunky SSH key management
> - hook directly into existing authentication databases (LDAP of
> course ;)
>
> In a different situation (a Apache-based webmail setup where all
> underlying mail components hook into LDAP for account and
> configuration data) I have used mod_authz_ldap successfully to re-use
> existing mail system authentication data for protecting access to the
> webmail site.
>
> Since we already have LDAP as the basis for www.zope.org login
> information it should not be hard to add an attribute to
> contributors' records that can be used to determine access to e.g.
> "https://svn.zope.org/svn" as a front door to the main repo or even
> specific sub-projects.
>
> I'm hoping to flesh that out more when I complete migrating my own
> repositories to SVN in the next couple weeks.

Ah, and while we are at it, some nice frontend, like
http://trac.edgewall.com/

would be nice. At least for browsing the repository.

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

srichter at cosmos

Jul 17, 2005, 2:48 PM

Post #7 of 11 (3806 views)

On Sunday 17 July 2005 14:30, Tino Wildenhain wrote:
> Ah, and while we are at it, some nice frontend, like
> http://trac.edgewall.com/
>
> would be nice. At least for browsing the repository.

I like ViewCVS. It is very usable.

Regards,
Stephan
--
Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

jens at dataflake

Jul 17, 2005, 3:03 PM

Post #8 of 11 (3806 views)

On 17 Jul 2005, at 22:48, Stephan Richter wrote:

> On Sunday 17 July 2005 14:30, Tino Wildenhain wrote:
>
>> Ah, and while we are at it, some nice frontend, like
>> http://trac.edgewall.com/
>>
>> would be nice. At least for browsing the repository.
>>
>
> I like ViewCVS. It is very usable.

The SVN support in ViewCVS is, pardon my french, crap. And it is
extremely hard to get it working as well, it requires some horrific
SWIG SVN Python binding. Tried to get it set up several times and
always failed.

A decent tool I have found recently is called WebSVN. It's in PHP,
but seems to do a very nice job including colorized diffs, svn blame,
tarball creation, etc. Basically all the things that ViewCVS does
well for CVS, but doesn't do at all for SVN. It even does RSS feeds
for changes (dunno what that's good for ;)

See my not yet complete repository migration at http://
svn.dataflake.org for an example. The one thing it does not deal well
with is resources that have been moved about with "svn move" - it
must do something braindead there because it will complain that it
cannot find the resource at the previous location. "svn diff" at the
new location works as expected.

jens

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

tino at wildenhain

Jul 17, 2005, 3:41 PM

Post #9 of 11 (3783 views)

Am Sonntag, den 17.07.2005, 23:03 +0100 schrieb Jens Vagelpohl:
> On 17 Jul 2005, at 22:48, Stephan Richter wrote:
>
> > On Sunday 17 July 2005 14:30, Tino Wildenhain wrote:
> >
> >> Ah, and while we are at it, some nice frontend, like
> >> http://trac.edgewall.com/
> >>
> >> would be nice. At least for browsing the repository.
> >>
> >
> > I like ViewCVS. It is very usable.
>
> The SVN support in ViewCVS is, pardon my french, crap. And it is
> extremely hard to get it working as well, it requires some horrific
> SWIG SVN Python binding. Tried to get it set up several times and
> always failed.
>
> A decent tool I have found recently is called WebSVN. It's in PHP,
> but seems to do a very nice job including colorized diffs, svn blame,
> tarball creation, etc. Basically all the things that ViewCVS does
> well for CVS, but doesn't do at all for SVN. It even does RSS feeds
> for changes (dunno what that's good for ;)
>
> See my not yet complete repository migration at http://
> svn.dataflake.org for an example. The one thing it does not deal well
> with is resources that have been moved about with "svn move" - it
> must do something braindead there because it will complain that it
> cannot find the resource at the previous location. "svn diff" at the
> new location works as expected.

Maybe you both should have a look at trac's browser?
Its even in python so better fits in the Zope model
anyway ;))

http://projects.edgewall.com/trac/browser/trunk/

just to get an idea. Hard to find anything like
that in the rather puristic viewcvs or websvn ;)

Regards
Tino

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

jens at dataflake

Jul 17, 2005, 3:48 PM

Post #10 of 11 (3779 views)

On 17 Jul 2005, at 23:41, Tino Wildenhain wrote:
> Maybe you both should have a look at trac's browser?
> Its even in python so better fits in the Zope model
> anyway ;))
>
> http://projects.edgewall.com/trac/browser/trunk/
>
> just to get an idea. Hard to find anything like
> that in the rather puristic viewcvs or websvn ;)

Maybe I am overlooking something, but where's the diff facility?

That specific site only looked OK in one browser that specifically
blocks Google ads, in all others they overlapped into the main
content part. But apart from a more "gimmicky" browsing interface I
haven't seen anything not covered by other tools.

jens

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: SVN access using https? [ In reply to ]

tino at wildenhain

Jul 17, 2005, 3:58 PM

Post #11 of 11 (3798 views)

Am Sonntag, den 17.07.2005, 23:48 +0100 schrieb Jens Vagelpohl:
> On 17 Jul 2005, at 23:41, Tino Wildenhain wrote:
> > Maybe you both should have a look at trac's browser?
> > Its even in python so better fits in the Zope model
> > anyway ;))
> >
> > http://projects.edgewall.com/trac/browser/trunk/
> >
> > just to get an idea. Hard to find anything like
> > that in the rather puristic viewcvs or websvn ;)
>
> Maybe I am overlooking something, but where's the diff facility?
>
> That specific site only looked OK in one browser that specifically
> blocks Google ads, in all others they overlapped into the main
> content part. But apart from a more "gimmicky" browsing interface I
> haven't seen anything not covered by other tools.

http://projects.edgewall.com/trac/changeset/1877

You click on a changeset.

I dont know when they started with the google ads... ;)

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders