You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Johan Corveleyn <jo...@uz.kuleuven.ac.be> on 2009/05/01 22:42:30 UTC
RE: svn????????
I don't really understand where you got the idea that we use the file:// protocol :). No, we have a very sane setup (I think): repository is owned by a special user account, which is also used to run the Apache server that goes with it. We access it through https, authenticating with LDAP. We were only talking about sharing a *working copy* (on a build machine) for "release build" purposes.
For our continuous builds we use Teamcity (which idd doesn't need write access).
Regards,
Johan
> So, um.... who's the user that owns the Subversion repository and runs
> the Subversion server process? Please don't tell me you all use the
> file:// protocol in order to get around this security issue.
>
> If you use Hudson <https://hudson.dev.java.net/> with Subversion, you
> really wouldn't need to give the Hudson server write access to your
> Subversion repository. In Subversion, you can use the Subversion
> revision number as a psudo-tag, so you don't have to make a new tag
> for each build. Hudson shows you the Subversion revision number of
> each build. Hudson will also store your build artifacts and other
> items, so you don't have to check those into Subversion either.
>
> Give Hudson a try. It's really very easy to setup and use.
>
> On Thu, Apr 30, 2009 at 9:51 AM, Johan Corveleyn
> <jo...@uz.kuleuven.ac.be> wrote:
> > Well that would be fine, except for security: you'd need to have a
> generic "build user" (not corresponding to a real person), with fixed
> password, that has write access to the repository (needs to commit
> version info, make branches, tags, ...). In our case this means this
> "user" has to exist in our LDAP in the developers group (only that LDAP
> group has write access currently).
> >
> > Our sysadmins don't like such generic user accounts (for one thing:
> their password tends to be fixed over time to help all the automation,
> contrary to normal accounts, which are forced to change their password
> every x months).
> >
> > That's why we thought: why not let every developer build under his
> own account (but share the WC to speed up things), and avoid this whole
> issue.
> >
> > Johan
> >
> > -----Oorspronkelijk bericht-----
> > Van: Les Mikesell [mailto:lesmikesell@gmail.com]
> > Verzonden: donderdag 30 april 2009 15:43
> > Aan: Bob Archer
> > CC: Johan Corveleyn; users@subversion.tigris.org; xuer811
> > Onderwerp: Re: svn????????
> >
> > Bob Archer wrote:
> >>> Hmmm, we were planning to do this in the following scenario:
> >>> - during normal development, everyone has his own local WC
> >>> - for building, we use a fixed build machine (*nix machine) with a
> >>> "shared" WC (we take rotations to perform the build)
> >>>
> >>> I guess this sort of WC-sharing should be fine, shouldn't it?
> >>
> >> Yes it "should" be ok. However, why not create a build script and
> automate it. First, this means only the "automation" is using the WC.
> And second, your devs don't have to do it manually.
> >>
> >
> > Or start with something like hudson and let it run your automation.
> >
> > --
> > Les Mikesell
> > lesmikesell@gmail.com
> >
> > ------------------------------------------------------
> >
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessage
> Id=1995411
> >
> > To unsubscribe from this discussion, e-mail: [users-
> unsubscribe@subversion.tigris.org].
> >
>
>
>
> --
> David Weintraub
> qazwart@gmail.com
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2020906
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: svn????????
Posted by David Weintraub <qa...@gmail.com>.
On Fri, May 1, 2009 at 6:42 PM, Johan Corveleyn
<jo...@uz.kuleuven.ac.be> wrote:
> I don't really understand where you got the idea that we use
> the file:// protocol :).
The fact that your Sysadmins don't like creating special non-user
accounts. I've been through this before where I am trying to implement
a client/server software, and our IT department tell us they can't
setup a non-user account in order to run the software.
> For our continuous builds we use Teamcity (which idd
> doesn't need write access).
But earlier you said:
> we use a fixed build machine (*nix machine) with a
> "shared" WC (we take rotations to perform the build)
What builds are you doing on the *nix machine that you're not doing
with TeamCity?
>
> Regards,
> Johan
>
>> So, um.... who's the user that owns the Subversion repository and runs
>> the Subversion server process? Please don't tell me you all use the
>> file:// protocol in order to get around this security issue.
>>
>> If you use Hudson <https://hudson.dev.java.net/> with Subversion, you
>> really wouldn't need to give the Hudson server write access to your
>> Subversion repository. In Subversion, you can use the Subversion
>> revision number as a psudo-tag, so you don't have to make a new tag
>> for each build. Hudson shows you the Subversion revision number of
>> each build. Hudson will also store your build artifacts and other
>> items, so you don't have to check those into Subversion either.
>>
>> Give Hudson a try. It's really very easy to setup and use.
>>
>> On Thu, Apr 30, 2009 at 9:51 AM, Johan Corveleyn
>> <jo...@uz.kuleuven.ac.be> wrote:
>> > Well that would be fine, except for security: you'd need to have a
>> generic "build user" (not corresponding to a real person), with fixed
>> password, that has write access to the repository (needs to commit
>> version info, make branches, tags, ...). In our case this means this
>> "user" has to exist in our LDAP in the developers group (only that LDAP
>> group has write access currently).
>> >
>> > Our sysadmins don't like such generic user accounts (for one thing:
>> their password tends to be fixed over time to help all the automation,
>> contrary to normal accounts, which are forced to change their password
>> every x months).
>> >
>> > That's why we thought: why not let every developer build under his
>> own account (but share the WC to speed up things), and avoid this whole
>> issue.
>> >
>> > Johan
>> >
>> > -----Oorspronkelijk bericht-----
>> > Van: Les Mikesell [mailto:lesmikesell@gmail.com]
>> > Verzonden: donderdag 30 april 2009 15:43
>> > Aan: Bob Archer
>> > CC: Johan Corveleyn; users@subversion.tigris.org; xuer811
>> > Onderwerp: Re: svn????????
>> >
>> > Bob Archer wrote:
>> >>> Hmmm, we were planning to do this in the following scenario:
>> >>> - during normal development, everyone has his own local WC
>> >>> - for building, we use a fixed build machine (*nix machine) with a
>> >>> "shared" WC (we take rotations to perform the build)
>> >>>
>> >>> I guess this sort of WC-sharing should be fine, shouldn't it?
>> >>
>> >> Yes it "should" be ok. However, why not create a build script and
>> automate it. First, this means only the "automation" is using the WC.
>> And second, your devs don't have to do it manually.
>> >>
>> >
>> > Or start with something like hudson and let it run your automation.
>> >
>> > --
>> > Les Mikesell
>> > lesmikesell@gmail.com
>> >
>> > ------------------------------------------------------
>> >
>> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessage
>> Id=1995411
>> >
>> > To unsubscribe from this discussion, e-mail: [users-
>> unsubscribe@subversion.tigris.org].
>> >
>>
>>
>>
>> --
>> David Weintraub
>> qazwart@gmail.com
>
--
David Weintraub
qazwart@gmail.com
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2039645
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].