Re: Checkout hooks? (summary and script implementation)

[Ryan Schmidt <su...@ryandesign.com>]

On Mar 26, 2006, at 11:52, Andrew Gabriel wrote:

> Adrian Hoe 贺文耀 wrote:
>
>> Look. I am not talking about having to log checkout/update. I just
>> want a simple email sent out to designated persons when someone do a
>> svn checkout/update. I am just interested to know who and when
>> checkout what. Simple.
>
> In a previous job, using a proprietary source control system, we  
> used the equivalent of a checkout hook to add people to a mailing  
> list regarding the repository they checked out from. With  
> Subversion, I can't do this until the first time they commit, so it  
> would be useful to me too so I could do it on the checkout. (We  
> only use the svn:// access method at the moment).

So it sounds like several people (3 so far in this thread alone) want  
a pre- or post-checkout hook. (And I see for the first time now,  
Adrian, that you also want a pre- or post-update hook.) Someone even  
already implemented a pre-checkout / pre-update hook, the patch for  
which is here:

On Mar 24, 2006, at 16:00, Mathias Weinert wrote:

> You may want to look at
> http://svn.haxx.se/dev/archive-2006-02/0304.shtml
> and a little follow-up discussion in a separate thread for which
> I don't have the number available at the moment (the subject
> is "Re: [PATCH] pre-update and pre-getfile hook").

There's some controversy about the way in which this feature was  
implemented, which you can read about in the continued discussion  
Matthias mentioned:

http://svn.haxx.se/dev/archive-2006-03/0033.shtml

One of the perceived problems was that a pre-checkout hook can be  
seen as another authorization mechanism, which was thought to be a  
bad idea (the better idea presumably being to extend the existing  
authorization mechanism to offer whatever features people would be  
implementing in a pre-checkout hook).

For the purposes of this thread, all that's desired is notification,  
which would probably fit best into a post-checkout or post-update  
hook. I can't find an issue tracker record for this request. Is there  
a reason, or would anybody object to such an enhancement request  
being filed?


So friends, until such new hooks are implemented, I think the only  
way to get what you want is to serve your repository using Apache and  
monitor the Subversion access log. Fortunately, since I'm trying to  
avoid real work at the moment, I wrote you a nifty script which can  
be used in conjunction with the new Apache access log features in  
Subversion 1.3.0 to basically create the post-checkout-or-export and  
post-update hooks out of thin air. The script is written in PHP,  
because I like it. The server must therefore be running Apache 2.0.x  
or greater, Subversion 1.3.x or greater, and PHP. (I'm running 5.1.2  
but 4.3.x or greater should probably be fine; if not, let me know.) I  
would like for the script to work on Windows too, but I can't test  
that; it's tested to work on Mac OS X. Instructions and hook  
templates are included in the archive.

http://www.ryandesign.com/svnhookdispatcher/

I should note that the new post-checkout-or-export and post-update  
hooks get called even if the checkout, export or update is  
interrupted for some reason, so just keep that in mind.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Checkout hooks? (summary and script implementation)

[Ryan Schmidt <su...@ryandesign.com>]

On Mar 28, 2006, at 09:35, Adrian Hoe 贺文耀 wrote:

>> So friends, until such new hooks are implemented, I think the only  
>> way to get what you want is to serve your repository using Apache  
>> and monitor the Subversion access log. Fortunately, since I'm  
>> trying to avoid real work at the moment, I wrote you a nifty  
>> script which can be used in conjunction with the new Apache access  
>> log features in Subversion 1.3.0 to basically create the post- 
>> checkout-or-export and post-update hooks out of thin air. The  
>> script is written in PHP, because I like it. The server must  
>> therefore be running Apache 2.0.x or greater, Subversion 1.3.x or  
>> greater, and PHP. (I'm running 5.1.2 but 4.3.x or greater should  
>> probably be fine; if not, let me know.) I would like for the  
>> script to work on Windows too, but I can't test that; it's tested  
>> to work on Mac OS X. Instructions and hook templates are included  
>> in the archive.
>>
>> http://www.ryandesign.com/svnhookdispatcher/
>
> The reason I wish to have a pre/post checkout/update hooks is that,  
> people such as project managers and svn administrator can be  
> alerted with emails while they are away from their office desks.
>
> We don't have an Apache setup simply because our security policies  
> and we don't want to provide conveniences of source browsing using  
> browsers. We sees no reasons to install Apache too because svn+ssh  
> is enough to do the job.
>
> We are able to use the hooks provided to monitor all commits  
> (post). The problem is that we are unable to know who checkout  
> what. That's a security concern. We would also like to know the ip  
> address of the person who checkout the items. We don't know who  
> until he/she commits changes.
>
> I am using 1.2.x and have no plan to migrate to 1.3 at this moment.  
> I will certainly migrate immediately if future version has checkout/ 
> export/update hooks implemented.

So, now you have a reason to install Apache and upgrade to Subversion  
1.3: svn+ssh does not provide you with post-checkout-or-export or  
post-update hooks; Apache + Subversion 1.3 + my script above does.

I can't speak to your security policies, but if they get in the way  
of you doing what you need to do for your business, then you'd best  
reexamine those security policies. But I really don't know what kind  
of security-related issues you see in an Apache + Subversion server  
that are not present in an SSH + Subversion server.

If you don't want people to be able to browse the repository via the  
web browser, I'm sure you can do that with a simple Apache directive  
like prohibiting all GET requests (since AFAIK real Subversion  
clients get all information via PROPFIND and REPORT requests) or by  
user agent (allowing only user agents like "SVN/1.3.0 (r17949) neon/ 
0.25.4" for example). In any case, you're merely taking away a  
convenience, not a feature, since a user can still browse the  
repository via the command-line client, if perhaps less conveniently.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Checkout hooks? (summary and script implementation)

[Adrian Hoe 贺文耀 <ma...@adrianhoe.com>]

Sorry for the late reply. I was on travel and got my hands tied up.

The reason I wish to have a pre/post checkout/update hooks is that,  
people such as project managers and svn administrator can be alerted  
with emails while they are away from their office desks.

We don't have an Apache setup simply because our security policies  
and we don't want to provide conveniences of source browsing using  
browsers. We sees no reasons to install Apache too because svn+ssh is  
enough to do the job.

We are able to use the hooks provided to monitor all commits (post).  
The problem is that we are unable to know who checkout what. That's a  
security concern. We would also like to know the ip address of the  
person who checkout the items. We don't know who until he/she commits  
changes.

I am using 1.2.x and have no plan to migrate to 1.3 at this moment. I  
will certainly migrate immediately if future version has checkout/ 
export/update hooks implemented.




On Mar 27, 2006, at 2:12 AM, Ryan Schmidt wrote:

> On Mar 26, 2006, at 11:52, Andrew Gabriel wrote:
>
>> Adrian Hoe 贺文耀 wrote:
>>
>>> Look. I am not talking about having to log checkout/update. I just
>>> want a simple email sent out to designated persons when someone do a
>>> svn checkout/update. I am just interested to know who and when
>>> checkout what. Simple.
>>
>> In a previous job, using a proprietary source control system, we  
>> used the equivalent of a checkout hook to add people to a mailing  
>> list regarding the repository they checked out from. With  
>> Subversion, I can't do this until the first time they commit, so  
>> it would be useful to me too so I could do it on the checkout. (We  
>> only use the svn:// access method at the moment).
>
> So it sounds like several people (3 so far in this thread alone)  
> want a pre- or post-checkout hook. (And I see for the first time  
> now, Adrian, that you also want a pre- or post-update hook.)  
> Someone even already implemented a pre-checkout / pre-update hook,  
> the patch for which is here:
>
> On Mar 24, 2006, at 16:00, Mathias Weinert wrote:
>
>> You may want to look at
>> http://svn.haxx.se/dev/archive-2006-02/0304.shtml
>> and a little follow-up discussion in a separate thread for which
>> I don't have the number available at the moment (the subject
>> is "Re: [PATCH] pre-update and pre-getfile hook").
>
> There's some controversy about the way in which this feature was  
> implemented, which you can read about in the continued discussion  
> Matthias mentioned:
>
> http://svn.haxx.se/dev/archive-2006-03/0033.shtml
>
> One of the perceived problems was that a pre-checkout hook can be  
> seen as another authorization mechanism, which was thought to be a  
> bad idea (the better idea presumably being to extend the existing  
> authorization mechanism to offer whatever features people would be  
> implementing in a pre-checkout hook).
>
> For the purposes of this thread, all that's desired is  
> notification, which would probably fit best into a post-checkout or  
> post-update hook. I can't find an issue tracker record for this  
> request. Is there a reason, or would anybody object to such an  
> enhancement request being filed?
>
>
> So friends, until such new hooks are implemented, I think the only  
> way to get what you want is to serve your repository using Apache  
> and monitor the Subversion access log. Fortunately, since I'm  
> trying to avoid real work at the moment, I wrote you a nifty script  
> which can be used in conjunction with the new Apache access log  
> features in Subversion 1.3.0 to basically create the post-checkout- 
> or-export and post-update hooks out of thin air. The script is  
> written in PHP, because I like it. The server must therefore be  
> running Apache 2.0.x or greater, Subversion 1.3.x or greater, and  
> PHP. (I'm running 5.1.2 but 4.3.x or greater should probably be  
> fine; if not, let me know.) I would like for the script to work on  
> Windows too, but I can't test that; it's tested to work on Mac OS  
> X. Instructions and hook templates are included in the archive.
>
> http://www.ryandesign.com/svnhookdispatcher/
>
> I should note that the new post-checkout-or-export and post-update  
> hooks get called even if the checkout, export or update is  
> interrupted for some reason, so just keep that in mind.
>
>
>

--
"If you missed the rising sun and the morning dew, don't miss the  
beautiful sunset." -- Adrian Hoe inspired by Michal Nowak, June 15 2004
http://adrianhoe.com



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org