securing of correct transmit

["Krueger, Lars (CQSE)" <la...@carmeq.com>]

Hello together,

I need to know how SVN ensures that each item (comminting or updateing) is correctly transmitted from/ to a repository. If I use 'svn info' command I can see a 'Checksum' for a file. Do you use this Checksum?
It's important to know, because we must validate your used tools to ensure that your Software is built correctly. Currently we use SVN 1.8.11.

mit freundlichen Grüßen/ with best regards
Lars Krüger

Embedded Softwareentwicklung

Carmeq GmbH
Carnotstr. 4
D-10587 Berlin

Mobil:       +49 172 5892291    (BIK: 266)
E-Mail:      lars.krueger@carmeq.com<ma...@carmeq.com>
Internet:    www.carmeq.com<file:///\\carmbef00001\9009\Groups\Bibliothek\EMail-Signatur\www.carmeq.com>

Carmeq GmbH, Sitz / Domicile: Berlin, Registergericht / Court of Registry: Amtsgericht Berlin-Charlottenburg, HRB Nr./ Commercial Register No.: 86104, Geschäftsführer / Management Board: Peter Behrendt (Sprecher / Chairman), Michael Dinné

Wichtiger Hinweis: Die vorgenannten Angaben werden jeder E-Mail automatisch hinzugefügt und lassen keine Rückschlüsse auf den Rechtscharakter der E-Mail zu.
Important Notice: The above information is automatically added to this e-mail. This addition does not constitute a representation that the content of this e-mail is legally relevant and/or intended to be legally binding upon Carmeq GmbH.

Diese E-Mail und etwaige Anlagen können Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen dieser Umstand hiermit bekannt. Bitte benachrichtigen Sie in diesem Fall umgehend den Absender und löschen Sie diese E-Mail einschließlich etwaiger Anlagen auf irreversible Art und Weise von Ihrem System. Diese E-Mail und etwaige Anlagen dürfen im Fall der irrtümlichen Adressierung auch nicht kopiert, an Dritte weitergegeben oder anderweitig missbräuchlich verwendet werden. Vielen Dank!

This email could contain confidential or privileged material. Therefore, the information transmitted by this email is intended only for specific persons or entities. If you received this email as a result of an error, please contact the sender immediately and delete the email from your system irreversibly. In this case, any copying, dissemination, retransmission, review, or other use of this email is strictly prohibited. Thank you very much!

Re: securing of correct transmit

[Daniel Shahaf <d....@daniel.shahaf.name>]

Eric Johnson wrote on Fri, Jul 22, 2016 at 09:27:50 -0700:
> Hi Lars,
> 
> On 7/22/16 1:56 AM, Krueger, Lars (CQSE) wrote:
> >Hello together,
> >I need to know how SVN ensures that each item (comminting or updateing) is
> >correctly transmitted from/ to a repository. If I use \u2018svn info\u2019 command I
> >can see a \u2018Checksum\u2019 for a file. Do you use this Checksum?
> 
> I have not examined the code. I can say, however, in the years that I've
> been lurking on this list, I've *never* seen anyone report an issue with a
> file being corrupted in transit to the server. I assume that is because the
> answer to your question is emphatically, "yes".
> 

Yes, we use checksums in both directions.  The checksum is usually sha1
although it may be md5 for old data [written by 1.5(?) and older].

> Of course, it is open source, so you can go look at the code. I was curious
> whether I could find it. This seems like the right file. I see references to
> "checksum" in their, so that's promising.
> https://svn.apache.org/repos/asf/subversion/trunk/subversion/libsvn_client/commit.c
> 

My answer would be the open_file/apply_textdelta/close_file sequence
from the svn_delta_editor_t type.  These three are the interface that
transmits a versioned file across the wire.

Cheers,

Daniel

Re: securing of correct transmit

[Eric Johnson <er...@tibco.com>]

Hi Lars,

On 7/22/16 1:56 AM, Krueger, Lars (CQSE) wrote:
> Hello together,
> I need to know how SVN ensures that each item (comminting or 
> updateing) is correctly transmitted from/ to a repository. If I use 
> svn info command I can see a Checksum for a file. Do you use this 
> Checksum?

I have not examined the code. I can say, however, in the years that I've 
been lurking on this list, I've *never* seen anyone report an issue with 
a file being corrupted in transit to the server. I assume that is 
because the answer to your question is emphatically, "yes".

Of course, it is open source, so you can go look at the code. I was 
curious whether I could find it. This seems like the right file. I see 
references to "checksum" in their, so that's promising.
https://svn.apache.org/repos/asf/subversion/trunk/subversion/libsvn_client/commit.c

It is worth noting that you can turn on the svn:eol-style property 
(http://svnbook.red-bean.com/nightly/en/svn.advanced.props.html#svn.advanced.props.ref)- 
which may mean that the checksum of the file in the repository will not 
match the checksum in your working copy.

Of course, you might also use a tool like OWASP ZAP as a proxy between 
an HTTP client and an HTTP server, and mess with the packets being 
passed between the client and the server, and see what happens.
> Its important to know, because we must validate your used tools to 
> ensure that your Software is built correctly. Currently we use SVN 
> 1.8.11.
Looks like current version of Subversion 1.8.X is 1.8.16. If you want it 
to be the most correct, perhaps upgrade?

Eric.
> mit freundlichen Gren/ with best regards
> *Lars Krger*
>
> Embedded Softwareentwicklung
> *Carmeq GmbH
> *Carnotstr. 4
> D-10587 Berlin
> Mobil: +49 172 5892291    (BIK: 266)
> E-Mail: _lars.krueger@carmeq.com_ <ma...@carmeq.com>
> Internet: _www.carmeq.com_ 
> <file:///%5C%5Ccarmbef00001%5C9009%5CGroups%5CBibliothek%5CEMail-Signatur%5Cwww.carmeq.com>
> Carmeq GmbH, Sitz / Domicile: Berlin, Registergericht / Court of 
> Registry: Amtsgericht Berlin-Charlottenburg, HRB Nr./ Commercial 
> Register No.: 86104, Geschftsfhrer / Management Board: Peter 
> Behrendt (Sprecher / Chairman), Michael Dinn
> _Wichtiger Hinweis:_ Die vorgenannten Angaben werden jeder E-Mail 
> automatisch hinzugefgt und lassen keine Rckschlsse auf den 
> Rechtscharakter der E-Mail zu.
> _Important Notice:_ The above information is automatically added to 
> this e-mail. This addition does not constitute a representation that 
> the content of this e-mail is legally relevant and/or intended to be 
> legally binding upon Carmeq GmbH.
> Diese E-Mail und etwaige Anlagen knnen Geschftsgeheimnisse oder 
> sonstige vertrauliche Informationen enthalten. Sollten Sie diese 
> E-Mail irrtmlich erhalten haben, ist Ihnen dieser Umstand hiermit 
> bekannt. Bitte benachrichtigen Sie in diesem Fall umgehend den 
> Absender und lschen Sie diese E-Mail einschlielich etwaiger Anlagen 
> auf irreversible Art und Weise von Ihrem System. Diese E-Mail und 
> etwaige Anlagen drfen im Fall der irrtmlichen Adressierung auch 
> nicht kopiert, an Dritte weitergegeben oder anderweitig missbruchlich 
> verwendet werden. Vielen Dank!
> This email could contain confidential or privileged material. 
> Therefore, the information transmitted by this email is intended only 
> for specific persons or entities. If you received this email as a 
> result of an error, please contact the sender immediately and delete 
> the email from your system irreversibly. In this case, any copying, 
> dissemination, retransmission, review, or other use of this email is 
> strictly prohibited. Thank you very much!