Subversion 1.8 in RHEL/Centos repositories

[Junek Leoš <ju...@oksystem.cz>]

Hello,

I am newbie in subversion administration or development issues. So I am sorry if my question looks stupid.

Why Subversion 1.8 RPMs were not included to RHEL 7 / Centos 7 / Oracle Linux 7 (native) repositories, though it was released on 18th June 2013 and RHEL 7 GA was introduced on June 2014? Even now, 28 months after Subversion 1.8 release date I cannot find it in Centos repositories.
e.g. http://merlin.fit.vutbr.cz/mirrors/centos/7.1.1503/os/x86_64/Packages/

Why is it available only via 3rdparty repositories, e.g. via WanDisco? Who decided not to create RPMs of Subversion 1.8 for RHEL 7 based distributions.

I would like to install Subversion 1.8 from native distribution repository and wonder why it is not available...

With regards

Leos


Leoš Junek, IT Systems Administrator
OKsystem a.s.
Na Pankráci 125, 140 21 Praha 4, Czech Republic
tel.: +420 236 072 268, fax: +420 236 072 112, mobile: +420 776 679 792
e-mail: junek@oksystem.cz<ma...@oksystem.cz>, web: www.oksystem.cz<http://www.oksystem.cz>



________________________________

Upozornění společnosti OKsystem a.s. s ohledem na zavedené standardy ISO 9001, ISO 27001 a ISO 14001:
Tato zpráva a všechny připojené soubory jsou dle občanského zákoníku důvěrné. Jestliže nejste zamýšleným adresátem, uvědomte prosím odesilatele a smažte zprávu i přiložené soubory.
Opravdu potřebujete vytisknout tento email? Myslete na přírodu.

Disclaimer of OKsystem a.s. with respect to implemented standards ISO 9001, ISO 27001 and ISO 14001:
This message and all attached files are confidential and legally privileged. If you are not the intended recipient, please notify the sender and delete the message including all attachments.
Please consider the environment before printing this email.

Re: Subversion 1.8 in RHEL/Centos repositories

[Nico Kadel-Garcia <nk...@gmail.com>]

On Tue, Nov 3, 2015 at 8:54 AM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Nico Kadel-Garcia wrote on Tue, Nov 03, 2015 at 06:06:18 -0500:
>> On Mon, Nov 2, 2015 at 8:59 AM, Junek Leoš <ju...@oksystem.cz> wrote:
>> > I would like to install Subversion 1.8 from native distribution repository
>> > and wonder why it is not available…
>>
>> My RPM building tools are published. I don't personally have a web
>> service I can rely on sufficiently well to publish reliable, GPG
>> signed RPM's and have high confidence that someone can't maliciously
>> replace the repository, including a fake GPG key. Who checks the
>> signature chain on website published GPG keys?
>
> Even people who don't have a PGP trust path to your key will still be
> protected from this attack if they do "key pinning", i.e., if they check
> that "it's the same key as last time".
>
> (So long as people don't re-pin to a new key when the key on the website
> changes, of course.)

Yeah, that's the basic problem. RPM and its manager, yum, don't care
if something has "the  same key as I used for the previous version".
It cares if a matching key is loaded that matches the signed RPM. If
not, then yum looks in a designated location for the key. That
location is typically either at a URL (typically at the same website
and thus as vulnerable as a poisoned RPM), or deposited in /etc/pki/
by something like a "redhat-release" or "epel-release" RPM.

So if I could maintain a secure "nkadel-release" package and encourage
people to use it, I'd be in good shape. But for now, I don't have the
secure releases to host *that* anymore than I have good, secure
resources and reliable support time to host Subversion RPM's and
ensure their provenance. Instead I've been trying to publish to
RPMforge (which used to work), and publish patches (which are
available to Fedora, RHEL, and even Wandisco).

Re: Subversion 1.8 in RHEL/Centos repositories

[Daniel Shahaf <d....@daniel.shahaf.name>]

Nico Kadel-Garcia wrote on Tue, Nov 03, 2015 at 06:06:18 -0500:
> On Mon, Nov 2, 2015 at 8:59 AM, Junek Leoš <ju...@oksystem.cz> wrote:
> > I would like to install Subversion 1.8 from native distribution repository
> > and wonder why it is not available…
> 
> My RPM building tools are published. I don't personally have a web
> service I can rely on sufficiently well to publish reliable, GPG
> signed RPM's and have high confidence that someone can't maliciously
> replace the repository, including a fake GPG key. Who checks the
> signature chain on website published GPG keys?

Even people who don't have a PGP trust path to your key will still be
protected from this attack if they do "key pinning", i.e., if they check
that "it's the same key as last time".

(So long as people don't re-pin to a new key when the key on the website
changes, of course.)

Re: Subversion 1.8 in RHEL/Centos repositories

[Zdenek Sedlak <de...@apgrco.com>]

On 11/03/2015 12:06 PM, Nico Kadel-Garcia wrote:
> On Mon, Nov 2, 2015 at 8:59 AM, Junek Leoš <ju...@oksystem.cz> wrote:
>> Hello,
>>

[snip]

>> Why is it available only via 3rdparty repositories, e.g. via WanDisco? Who
>> decided not to create RPMs of Subversion 1.8 for RHEL 7 based distributions.
> 
> Red Hat. If you have a subscription, submit a feature request!
> 
> EPEL won't publish them, because they refuse to replace existing RHEL
> components. Their approach is understandable, thought with the
> continuing lack of RPMforge updates it leaves people like you out in
> the  cold.
> 
>> I would like to install Subversion 1.8 from native distribution repository
>> and wonder why it is not available…
> 
> My RPM building tools are published. I don't personally have a web
> service I can rely on sufficiently well to publish reliable, GPG
> signed RPM's and have high confidence that someone can't maliciously
> replace the repository, including a fake GPG key. Who checks the
> signature chain on website published GPG keys?
> 

Hi,

we use the WANdisco repositories and there is nothing wrong with them -
these guys know what they are doing because they run a business on top
of Subversion.

It's just an additional repository you eventually may mirror and make a
part of your ecosystem.

//Zdenek

Re: Subversion 1.8 in RHEL/Centos repositories

[Nico Kadel-Garcia <nk...@gmail.com>]

On Mon, Nov 2, 2015 at 8:59 AM, Junek Leoš <ju...@oksystem.cz> wrote:
> Hello,
>
>
>
> I am newbie in subversion administration or development issues. So I am
> sorry if my question looks stupid.
>
>
>
> Why Subversion 1.8 RPMs were not included to RHEL 7 / Centos 7 / Oracle
> Linux 7 (native) repositories, though it was released on 18th June 2013 and
> RHEL 7 GA was introduced on June 2014? Even now, 28 months after Subversion
> 1.8 release date I cannot find it in Centos repositories.
>
> e.g. http://merlin.fit.vutbr.cz/mirrors/centos/7.1.1503/os/x86_64/Packages/

If you'd like my RHEL 7 RPM building tooks they're up at
https://github.com/nkadel/subversion-1.8.x-srpm.

Red Hat doesn't publish major release updates for a stable OS because
RHEL is a "server" operating system, long-term stable, and with pretty
much guaranteed compatibility and stability with all previous software
versions originall realeased with the OS. In particular, if you update
to Subversion 1.8 on one system and have an NFS shared working copy on
a non-updated system, or simply rsync hte copy to a non-updated
system, you cannot use the new working copy on a host without updating
Subversion. And small differences in formatting output, or in features
like handling of submodules, can *break* your stable workflow pretty
badly.

The classic example is https://xkcd.com/1172/, which I occasionally
cite at work.

This reluctance to update happened with RHEL 5, which had Subversion
1.4. Red Hat did eventually upgrade to 1.6.  I I think the big feature
that got them to switch was the switch *away* from automatically and
silently storing passwords in cleartext in $HOME/.subversion/. But it
took years!

Rpmforge used to publish just such updates, I used to submit them
there, but my pull updates for Rpmforge have been languishing for some
time, basically since Dag Weiers stepped back from maintaining
Rpmforge.

> Why is it available only via 3rdparty repositories, e.g. via WanDisco? Who
> decided not to create RPMs of Subversion 1.8 for RHEL 7 based distributions.

Red Hat. If you have a subscription, submit a feature request!

EPEL won't publish them, because they refuse to replace existing RHEL
components. Their approach is understandable, thought with the
continuing lack of RPMforge updates it leaves people like you out in
the  cold.

> I would like to install Subversion 1.8 from native distribution repository
> and wonder why it is not available…

My RPM building tools are published. I don't personally have a web
service I can rely on sufficiently well to publish reliable, GPG
signed RPM's and have high confidence that someone can't maliciously
replace the repository, including a fake GPG key. Who checks the
signature chain on website published GPG keys?