You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Ben Reser <br...@apache.org> on 2013/11/25 17:50:51 UTC
Apache Subversion 1.8.5 released
I'm happy to announce the release of Apache Subversion 1.8.5.
Please choose the mirror closest to you by visiting:
http://subversion.apache.org/download/#recommended-release
This release addresses two security issues:
CVE-2013-4505: mod_dontdothat does not restrict requests from serf clients.
CVE-2013-4558: mod_dav_svn assertion triggered by autoversioning commits.
More information on these vulnerabilities, including the relevant
advisories and potential attack vectors and workarounds, can be found
on the Subversion security website:
http://subversion.apache.org/security/
The SHA1 checksums are:
2859de4cdce4494cecc7a71df4dfbf7a765d7759 subversion-1.8.5.tar.gz
66643c80041fedf585c8f4537331212e821aeef5 subversion-1.8.5.zip
d21de7daf37d9dd1cb0f777e999a529b96f83082 subversion-1.8.5.tar.bz2
PGP Signatures are available at:
http://www.apache.org/dist/subversion/subversion-1.8.5.tar.bz2.asc
http://www.apache.org/dist/subversion/subversion-1.8.5.tar.gz.asc
http://www.apache.org/dist/subversion/subversion-1.8.5.zip.asc
For this release, the following people have provided PGP signatures:
Ben Reser [4096R/16A0DE01] with fingerprint:
19BB CAEF 7B19 B280 A0E2 175E 62D4 8FAD 16A0 DE01
Branko Čibej [2048R/C8628501] with fingerprint:
8769 28CD 4954 EA74 87B6 B96C 29B8 92D0 C862 8501
Branko Čibej [4096R/A347943F] with fingerprint:
BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F
Ivan Zhakov [4096R/F6AD8147] with fingerprint:
4829 8F0F E47F 4B8A 43FD 6525 919F 6F61 F6AD 8147
Johan Corveleyn [4096R/010C8AAD] with fingerprint:
8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD
Julian Foad [4096R/4EECC493] with fingerprint:
6011 63CF 9D49 9FD7 18CF 582D 1FB0 64B8 4EEC C493
Paul T. Burba [4096R/56F3D7BC] with fingerprint:
1A0F E7C6 B3C5 F8D4 D0C4 A20B 64DD C071 56F3 D7BC
Philip Martin [2048R/ED1A599C] with fingerprint:
A844 790F B574 3606 EE95 9207 76D7 88E1 ED1A 599C
Stefan Fuhrmann [4096R/57921ACC] with fingerprint:
056F 8016 D9B8 7B1B DE41 7467 99EC 741B 5792 1ACC
Release notes for the 1.8.x release series may be found at:
http://subversion.apache.org/docs/release-notes/1.8.html
You can find the list of changes between 1.8.5 and earlier versions at:
http://svn.apache.org/repos/asf/subversion/tags/1.8.5/CHANGES
Questions, comments, and bug reports to users@subversion.apache.org.
Thanks,
- The Subversion Team
Re: Apache Subversion 1.8.5 released
Posted by Ben Reser <be...@reser.org>.
On 11/27/13 8:18 AM, Daniel Shahaf wrote:
> Branko Čibej wrote on Wed, Nov 27, 2013 at 17:15:10 +0100:
>> Meh. Just remove "binary" from the page title and you're done.
>
> While at it, we could also list the other known alternate build systems:
>
> - AnkhSVN's svn build script
> - TortoiseSVN's svn build script
> - tools/dev/unix-build/
> - tools/dev/windows-build/
+1, the current packages page leaves out Homebrew as well since it's not a
"binary package".
Re: Apache Subversion 1.8.5 released
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Branko Čibej wrote on Wed, Nov 27, 2013 at 17:15:10 +0100:
> On 27.11.2013 17:09, Mark Phippard wrote:
> > On Wed, Nov 27, 2013 at 8:06 AM, Nico Kadel-Garcia <nkadel@gmail.com
> > <ma...@gmail.com>> wrote:
> >
> > On Wed, Nov 27, 2013 at 7:26 AM, Daniel Shahaf
> > <d.s@daniel.shahaf.name <ma...@daniel.shahaf.name>> wrote:
> > > Nico Kadel-Garcia wrote on Tue, Nov 26, 2013 at 21:17:11 -0500:
> > >> I've gone ahead and updated, and casually tested, my published
> > RHEL 6
> > >> compatible RPM building tools with a new 1.8.5 tag at:
> > >>
> > >>
> > https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
> > >
> > > Perhaps these should be linked to from
> > http://subversion.apache.org/packages?
> >
> > I'd welcome that. They don't contain binary RPM's, partly because I'm
> > not in a good position to run a secure binary repository with GPG keys
> > and fully controlled build environments. But they're very useful RPM
> > building toolkits for developers, and I've sent notes to RHEL and
> > Fedora about issues I've found.. I've also submitted them to Repoforge
> > in the past: looks like time to update those rquests.
> >
> >
> > I think it would be very confusing to include this with our binary
> > packages. This is not a binary package so why would it belong on that
> > list?
> >
> > Wouldn't it make more sense to add a section to INSTALL that points to
> > this along with appropriate instructions for using it? Even if that
> > just says to read the current README?
>
> Meh. Just remove "binary" from the page title and you're done.
While at it, we could also list the other known alternate build systems:
- AnkhSVN's svn build script
- TortoiseSVN's svn build script
- tools/dev/unix-build/
- tools/dev/windows-build/
Re: Apache Subversion 1.8.5 released
Posted by Branko Čibej <br...@wandisco.com>.
On 27.11.2013 17:09, Mark Phippard wrote:
> On Wed, Nov 27, 2013 at 8:06 AM, Nico Kadel-Garcia <nkadel@gmail.com
> <ma...@gmail.com>> wrote:
>
> On Wed, Nov 27, 2013 at 7:26 AM, Daniel Shahaf
> <d.s@daniel.shahaf.name <ma...@daniel.shahaf.name>> wrote:
> > Nico Kadel-Garcia wrote on Tue, Nov 26, 2013 at 21:17:11 -0500:
> >> I've gone ahead and updated, and casually tested, my published
> RHEL 6
> >> compatible RPM building tools with a new 1.8.5 tag at:
> >>
> >>
> https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
> >
> > Perhaps these should be linked to from
> http://subversion.apache.org/packages?
>
> I'd welcome that. They don't contain binary RPM's, partly because I'm
> not in a good position to run a secure binary repository with GPG keys
> and fully controlled build environments. But they're very useful RPM
> building toolkits for developers, and I've sent notes to RHEL and
> Fedora about issues I've found.. I've also submitted them to Repoforge
> in the past: looks like time to update those rquests.
>
>
> I think it would be very confusing to include this with our binary
> packages. This is not a binary package so why would it belong on that
> list?
>
> Wouldn't it make more sense to add a section to INSTALL that points to
> this along with appropriate instructions for using it? Even if that
> just says to read the current README?
Meh. Just remove "binary" from the page title and you're done.
-- Brane
--
Branko Čibej | Director of Subversion
WANdisco // Non-Stop Data
e. brane@wandisco.com
Re: Apache Subversion 1.8.5 released
Posted by Mark Phippard <ma...@gmail.com>.
On Wed, Nov 27, 2013 at 8:06 AM, Nico Kadel-Garcia <nk...@gmail.com> wrote:
> On Wed, Nov 27, 2013 at 7:26 AM, Daniel Shahaf <d....@daniel.shahaf.name>
> wrote:
> > Nico Kadel-Garcia wrote on Tue, Nov 26, 2013 at 21:17:11 -0500:
> >> I've gone ahead and updated, and casually tested, my published RHEL 6
> >> compatible RPM building tools with a new 1.8.5 tag at:
> >>
> >> https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
> >
> > Perhaps these should be linked to from
> http://subversion.apache.org/packages?
>
> I'd welcome that. They don't contain binary RPM's, partly because I'm
> not in a good position to run a secure binary repository with GPG keys
> and fully controlled build environments. But they're very useful RPM
> building toolkits for developers, and I've sent notes to RHEL and
> Fedora about issues I've found.. I've also submitted them to Repoforge
> in the past: looks like time to update those rquests.
>
I think it would be very confusing to include this with our binary
packages. This is not a binary package so why would it belong on that list?
Wouldn't it make more sense to add a section to INSTALL that points to this
along with appropriate instructions for using it? Even if that just says
to read the current README?
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Re: Apache Subversion 1.8.5 released
Posted by Ben Reser <br...@apache.org>.
On 11/27/13 5:09 PM, Nico Kadel-Garcia wrote:
> They're in github as well. I should probably add these comments to the
> patches, but not tonight.
>
> https://raw.github.com/nkadel/subversion-1.8.x-srpm/master/get-deps.sh
> Updated version of get-deps.sh, with with consistent
> syntax, latest dependencies, and selection of new sqlite-autoconf
> package instead of sqlite-amalgamation.
Honestly, I really wish you wouldn't screw with get-deps.sh or would at least
follow through with my feedback with respect to your suggestion on contributing
your changes back:
https://mail-archives.apache.org/mod_mbox/subversion-users/201309.mbox/%3C5231410E.9000701%40reser.org%3E
Re: Apache Subversion 1.8.5 released
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
On Wed, Nov 27, 2013 at 10:56 AM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Nico Kadel-Garcia wrote on Wed, Nov 27, 2013 at 08:06:33 -0500:
>> On Wed, Nov 27, 2013 at 7:26 AM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>> > Nico Kadel-Garcia wrote on Tue, Nov 26, 2013 at 21:17:11 -0500:
>> >> I've gone ahead and updated, and casually tested, my published RHEL 6
>> >> compatible RPM building tools with a new 1.8.5 tag at:
>> >>
>> >> https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
>> >
>> > Perhaps these should be linked to from http://subversion.apache.org/packages?
>>
>> I'd welcome that.
>
> Well, go ahead and post a patch against the site source. (You're the
> best person to write the prose description.)
They're in github as well. I should probably add these comments to the
patches, but not tonight.
https://raw.github.com/nkadel/subversion-1.8.x-srpm/master/get-deps.sh
Updated version of get-deps.sh, with with consistent
syntax, latest dependencies, and selection of new sqlite-autoconf
package instead of sqlite-amalgamation.
https://github.com/nkadel/subversion-1.8.x-srpm/blob/1.8.5-0.1/subversion-1.7.0-pie.patch
Old RHEL/Fedora patch, set KDE configuration
directories correctly for RHEL
https://raw.github.com/nkadel/subversion-1.8.x-srpm/1.8.5-0.1/subversion-1.7.0-rpath.patch
Old RHEL/Fedora patch to use "-pie" for compiled binaries.
https://raw.github.com/nkadel/subversion-1.8.x-srpm/1.8.5-0.1/subversion-1.8.0-kwallet.patch
RHEL/Fedora patch to set KDE options corectly for kwallete.
https://raw.github.com/nkadel/subversion-1.8.x-srpm/1.8.5-0.1/subversion-1.8.0-svnmucc.patch
RPM building patch to set up symlinks for svnmucc,
when "DESTDIR" for RPM building doe snot match installation directory.
Ose only for RPM building.
There are other configuration files specifially for building RPM's,
such as the "subversion.conf" for configuring an Apache server for
mod_dav_svn, and an svnserve.conf for snvserver setups, and "psvn.el"
and "psvn-init.el" from a third party for setting up Emacs in more
detail for Subversion.
>> They don't contain binary RPM's, partly because I'm
>> not in a good position to run a secure binary repository with GPG keys
>> and fully controlled build environments.
>
> FWIW, the ASF Infra folks are looking into ways to implement secure
> signed binary builds for other projects. This is something that the
> project as a whole could sign up to, not individual contributors or
> committers.
I'm interested: I've not gotten far lately with repoforge (which seems
to have gone idle) or getting past the initial setup for Fedora and
EPEL. And I'm afraid that EPEL woul dnever include subversion-1.7.x or
subverison-1.8.x, because it would be an irreversible client format
update from their current subversion-1.6.x.
> If there is interest, now is the best time to talk to infra about it,
> while the solution is still being designed.
>
>> But they're very useful RPM
>> building toolkits for developers, and I've sent notes to RHEL and
>> Fedora about issues I've found.. I've also submitted them to Repoforge
>> in the past: looks like time to update those rquests.
Re: Apache Subversion 1.8.5 released
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
On Wed, Nov 27, 2013 at 11:19 AM, Ivan Zhakov <iv...@visualsvn.com> wrote:
> On 27 November 2013 19:56, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>> Nico Kadel-Garcia wrote on Wed, Nov 27, 2013 at 08:06:33 -0500:
>>> On Wed, Nov 27, 2013 at 7:26 AM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>>> > Nico Kadel-Garcia wrote on Tue, Nov 26, 2013 at 21:17:11 -0500:
>>> >> I've gone ahead and updated, and casually tested, my published RHEL 6
>>> >> compatible RPM building tools with a new 1.8.5 tag at:
>>> >>
>>> >> https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
>>> >
>>> > Perhaps these should be linked to from http://subversion.apache.org/packages?
>>>
>>> I'd welcome that.
>>
>> Well, go ahead and post a patch against the site source. (You're the
>> best person to write the prose description.)
>>
> Beside of any arguments I find links to Github from Subversion
> [Binary] Packages page very confusing.
There are workflow reasons that I publish it this way. Way back,
Subversion used to include package building components in the
"contrib" subdirectory. I've not seen anyone trying to bring that
back, or set up a parallel "subversion-packaging" project. If there's
enough enthusiasm to re-introduce something like that, I'd be happy to
work with it.
Re: Apache Subversion 1.8.5 released
Posted by Ivan Zhakov <iv...@visualsvn.com>.
On 27 November 2013 19:56, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Nico Kadel-Garcia wrote on Wed, Nov 27, 2013 at 08:06:33 -0500:
>> On Wed, Nov 27, 2013 at 7:26 AM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>> > Nico Kadel-Garcia wrote on Tue, Nov 26, 2013 at 21:17:11 -0500:
>> >> I've gone ahead and updated, and casually tested, my published RHEL 6
>> >> compatible RPM building tools with a new 1.8.5 tag at:
>> >>
>> >> https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
>> >
>> > Perhaps these should be linked to from http://subversion.apache.org/packages?
>>
>> I'd welcome that.
>
> Well, go ahead and post a patch against the site source. (You're the
> best person to write the prose description.)
>
Beside of any arguments I find links to Github from Subversion
[Binary] Packages page very confusing.
--
Ivan Zhakov
CTO | VisualSVN | http://www.visualsvn.com
Re: Apache Subversion 1.8.5 released
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Nico Kadel-Garcia wrote on Wed, Nov 27, 2013 at 08:06:33 -0500:
> On Wed, Nov 27, 2013 at 7:26 AM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> > Nico Kadel-Garcia wrote on Tue, Nov 26, 2013 at 21:17:11 -0500:
> >> I've gone ahead and updated, and casually tested, my published RHEL 6
> >> compatible RPM building tools with a new 1.8.5 tag at:
> >>
> >> https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
> >
> > Perhaps these should be linked to from http://subversion.apache.org/packages?
>
> I'd welcome that.
Well, go ahead and post a patch against the site source. (You're the
best person to write the prose description.)
> They don't contain binary RPM's, partly because I'm
> not in a good position to run a secure binary repository with GPG keys
> and fully controlled build environments.
FWIW, the ASF Infra folks are looking into ways to implement secure
signed binary builds for other projects. This is something that the
project as a whole could sign up to, not individual contributors or
committers.
If there is interest, now is the best time to talk to infra about it,
while the solution is still being designed.
> But they're very useful RPM
> building toolkits for developers, and I've sent notes to RHEL and
> Fedora about issues I've found.. I've also submitted them to Repoforge
> in the past: looks like time to update those rquests.
Re: Apache Subversion 1.8.5 released
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
On Wed, Nov 27, 2013 at 7:26 AM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Nico Kadel-Garcia wrote on Tue, Nov 26, 2013 at 21:17:11 -0500:
>> I've gone ahead and updated, and casually tested, my published RHEL 6
>> compatible RPM building tools with a new 1.8.5 tag at:
>>
>> https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
>
> Perhaps these should be linked to from http://subversion.apache.org/packages?
I'd welcome that. They don't contain binary RPM's, partly because I'm
not in a good position to run a secure binary repository with GPG keys
and fully controlled build environments. But they're very useful RPM
building toolkits for developers, and I've sent notes to RHEL and
Fedora about issues I've found.. I've also submitted them to Repoforge
in the past: looks like time to update those rquests.
Re: Apache Subversion 1.8.5 released
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Nico Kadel-Garcia wrote on Tue, Nov 26, 2013 at 21:17:11 -0500:
> I've gone ahead and updated, and casually tested, my published RHEL 6
> compatible RPM building tools with a new 1.8.5 tag at:
>
> https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
Perhaps these should be linked to from http://subversion.apache.org/packages?
Re: Apache Subversion 1.8.5 released
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
I've gone ahead and updated, and casually tested, my published RHEL 6
compatible RPM building tools with a new 1.8.5 tag at:
https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
For those who work in RHEL 6 or CentOS 6 or Scientific Linux 6, it
works quite well with the libserf from EPEL.
Nico Kadel-Garcia <nkadel@gmail.com
Re: Apache Subversion 1.8.5 released
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
I've gone ahead and updated, and casually tested, my published RHEL 6
compatible RPM building tools with a new 1.8.5 tag at:
https://github.com/nkadel/subversion-1.8.x-srpm/tree/1.8.5-0.1
For those who work in RHEL 6 or CentOS 6 or Scientific Linux 6, it
works quite well with the libserf from EPEL.
Nico Kadel-Garcia <nkadel@gmail.com