You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Doug Dicks <dw...@revelanttech.com> on 2003/09/08 20:33:36 UTC
0.29.0 - PKCS12 Certificates Only?
Hello,
I just upgraded to .29 under RedHat 9.
I was using the list of certificate authorities that came with RH9 to
validate the issuer (Equifax) of my server cert by adding the line
"ssl-authorities-file = /usr/share/ssl/cert.pem" to the global section
of my servers file.
This is now broke and I get prompted to confirm my server's certificate
every time. I assume this is due to the following change from the
release notes for .29:
"* SSL changes: (r6958, #1371)
- dropped support for PEM-encoded client certs, only accept PKCS12
now.
- 'ssl-authority-files' is now a list of CA files
- no more 'ssl-client-cert-type' and 'ssl-client-key-file'
variables."
I've been reading the various web pages returned by Google on pkcs12,
but am still at a loss for what to do about it. I've tried several
different ways to convert the PEM to PKCS12, but with no success.
Was there a big security problem with PEM certs?
I can get around this by adding "ssl-ignore-unknown-ca = true" to my
servers file, but would like to avoid this if possible.
Thoughts,
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
Tobias Ringström wrote:
> Real soon now you will not need to do any configuration at all to accept
> real non-self-signed certificates. It's a two-liner (or slightly more if
> configuration parameters to turn it off are wished for), and it's
> planned for 0.30.
And about 30 seconds after I sent this email I got an email from the
issue tracker telling me that my patch was applied by Sussman.
Man, you're fast! :-)
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
Garret Wilson wrote:
>> If you set 'ssl-trust-default-ca = true' in your ~/.subversion/servers
>> file, svn will trust all the the 'default' CAs installed by a sysadmin.
>
> 1. Will this work on Win32, too? Will the Win32 client recognize the
> usual root CAs? (e.g. VeriSign, Thawte, InstantSSL, Comodo, etc.)
The current version of Neon uses OpenSSL even on Windows, so I don't
think that it has access to the CA certificates installed in Windows. My
guess is that the Windows port of OpenSSL looks for a PEM file
containing CA certificates, just as it does on unix.
I do not know exactly where OpenSSH on Windows looks for the PEM file
contaning the CA certificates, but I'm hoping that one of the Windows
gurus do. It would be really nice if a CA certificate list was included
in the installer.
> 2. Can't we have "ssl-trust-default-ca" default to true? The whole
> point of trusted root CAs is that they can be trusted, and the whole
> point of installing root CAs is that those are trusted by default. (By
> analogy, I'd hate to have to change a configuration file just to order
> from amazon.com using HTTPS in a browser.)
It is already on by default.
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Garret Wilson <ga...@globalmentor.com>.
Ben Collins-Sussman wrote:
> Tobias Ringström <to...@ringstrom.mine.nu> writes:
>>Real soon now you will not need to do any configuration at all to
>>accept real non-self-signed certificates. It's a two-liner (or
>>slightly more if configuration parameters to turn it off are wished
>>for), and it's planned for 0.30.
Yay!
> Just committed your patch to HEAD, Tobias.
>
> If you set 'ssl-trust-default-ca = true' in your ~/.subversion/servers
> file, svn will trust all the the 'default' CAs installed by a sysadmin.
1. Will this work on Win32, too? Will the Win32 client recognize the
usual root CAs? (e.g. VeriSign, Thawte, InstantSSL, Comodo, etc.)
2. Can't we have "ssl-trust-default-ca" default to true? The whole point
of trusted root CAs is that they can be trusted, and the whole point of
installing root CAs is that those are trusted by default. (By analogy,
I'd hate to have to change a configuration file just to order from
amazon.com using HTTPS in a browser.)
The bother of adding "ssl-trust-default-ca" to a configuration file
doesn't buy me much in *time* from adding my own server to the config
file. Or, looking at this from another view, if someone has bothered to
install "default" CAs why should someone have to bother adding a flag
that says to use the "default" CAs. Are they really "default" if one has
to turn them on? But I'm babbling (as I sit in class listening to the
teacher drone on...)
Cheers,
Garret
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Ben Collins-Sussman <su...@collab.net>.
Tobias Ringström <to...@ringstrom.mine.nu> writes:
> Doug Dicks wrote:
>
> > I was using the list of certificate authorities that came with RH9 to
> > validate the issuer (Equifax) of my server cert by adding the line
> > "ssl-authorities-file = /usr/share/ssl/cert.pem" to the global section
> > of my servers file.
>
> Real soon now you will not need to do any configuration at all to
> accept real non-self-signed certificates. It's a two-liner (or
> slightly more if configuration parameters to turn it off are wished
> for), and it's planned for 0.30.
Just committed your patch to HEAD, Tobias.
If you set 'ssl-trust-default-ca = true' in your ~/.subversion/servers
file, svn will trust all the the 'default' CAs installed by a sysadmin.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
Doug Dicks wrote:
> I was using the list of certificate authorities that came with RH9 to
> validate the issuer (Equifax) of my server cert by adding the line
> "ssl-authorities-file = /usr/share/ssl/cert.pem" to the global section
> of my servers file.
Real soon now you will not need to do any configuration at all to accept
real non-self-signed certificates. It's a two-liner (or slightly more if
configuration parameters to turn it off are wished for), and it's
planned for 0.30.
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Ben Collins-Sussman <su...@collab.net>.
Doug Dicks <dw...@revelanttech.com> writes:
> Was there a big security problem with PEM certs?
I'm sure there's no security issue; PEM and PCKS12 are the same data,
just formatted differently on disk.
The issue is that the latest neon library decided to drop support for
them, and therefore svn did as well.
I imagine PKCS12 is just easier to deal with, because it contains the
keyfile within it. It's also the "standard" format that most web
browsers use these days.
> I've been reading the various web pages returned by Google on pkcs12,
> but am still at a loss for what to do about it. I've tried several
> different ways to convert the PEM to PKCS12, but with no success.
Well, can you be more specific?
Converting a .pem file to a pkcs12 file should be a no-brainer. It's
just a matter of switching disk formats. I believe openssl has a tool
to do it. Try running 'man pkcs12', or 'openssl pkcs12 help'.
I'm guessing, but from reading the man page, you probably want to run
something like:
$ pks12 -export -out new.pkcs12 -in old.pem -inkey privatekeyfile
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Doug Dicks <dw...@revelanttech.com>.
On Mon, 2003-09-08 at 17:57, David Waite wrote:
> I believe 0.23.9 still allows for multiple certs in a single file, and
> that 0.24.1 does not :-)
Good call. I didn't upgrade neon on my client. I'll look for it to
break when I do.
Thanks,
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by David Waite <ma...@akuma.org>.
Doug Dicks wrote:
>On Mon, 2003-09-08 at 15:41, Mukund wrote:
>
>
>>On Mon, Sep 08, 2003 at 03:33:36PM -0500, Doug Dicks wrote:
>>
>>
>>>This is now broke and I get prompted to confirm my server's certificate
>>>every time. I assume this is due to the following change from the
>>>release notes for .29:
>>>
>>>
>>The server CA certificate files (ssl-authority-files) are still PEM
>>encoded. It is now seperated to be one certificate per file. The option
>>is now called 'ssl-authority-files'.
>>
>>
>
>
>
>>If your server certificate is signed by Equifax, you will have to get
>>their CA certificate and use that with the 'ssl-authority-files' option.
>>
>>
>
>Got it. Thanks. I am only concerned about the CA files right now. I
>extracted the Equifax cert that came with RH from
>/usr/share/ssl/cert.pem and everything works great.
>
>Interestingly enough, it also picks it up correctly if I leave the file
>as is with multiple CA certs as well. Looks like part (all) of this was
>stupid-user-error. ssl-authority-files != ssl-authorities-files I
>changed file to files, but not authorities to authority. Stupid. I
>read the release notes and assumed that was the problem was related to
>the "dropped support for PEM-encoded clients", not understanding the
>difference between the CA files and the client certs.
>
>
>
I believe 0.23.9 still allows for multiple certs in a single file, and
that 0.24.1 does not :-)
-David Waite
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Doug Dicks <dw...@revelanttech.com>.
On Mon, 2003-09-08 at 15:41, Mukund wrote:
> On Mon, Sep 08, 2003 at 03:33:36PM -0500, Doug Dicks wrote:
> >
> > This is now broke and I get prompted to confirm my server's certificate
> > every time. I assume this is due to the following change from the
> > release notes for .29:
>
> The server CA certificate files (ssl-authority-files) are still PEM
> encoded. It is now seperated to be one certificate per file. The option
> is now called 'ssl-authority-files'.
> If your server certificate is signed by Equifax, you will have to get
> their CA certificate and use that with the 'ssl-authority-files' option.
Got it. Thanks. I am only concerned about the CA files right now. I
extracted the Equifax cert that came with RH from
/usr/share/ssl/cert.pem and everything works great.
Interestingly enough, it also picks it up correctly if I leave the file
as is with multiple CA certs as well. Looks like part (all) of this was
stupid-user-error. ssl-authority-files != ssl-authorities-files I
changed file to files, but not authorities to authority. Stupid. I
read the release notes and assumed that was the problem was related to
the "dropped support for PEM-encoded clients", not understanding the
difference between the CA files and the client certs.
Sorry, and thanks,
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Branko Čibej <br...@xbc.nu>.
Ben Collins-Sussman wrote:
>Branko Čibej <br...@xbc.nu> writes:
>
>
>
>> [global]
>> ssl-authorities-file = %(certs-path)s\CAcert.pem
>>
>>
>>The README.txt file in the config dir explains this syntax; or, you can
>>read the docs for Python's ConfigParser module.
>>
>>
>
>Wow, I forgot all about this cool substitution stuff! I wonder if
>this is in the Book...
>
>
Dunno, but I've just updated the that README.txt a bit, and added a link
to the ConfigParser docs.
--
Brane Čibej <br...@xbc.nu> http://www.xbc.nu/brane/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Ben Collins-Sussman <su...@collab.net>.
Branko Čibej <br...@xbc.nu> writes:
> [global]
> ssl-authorities-file = %(certs-path)s\CAcert.pem
>
>
> The README.txt file in the config dir explains this syntax; or, you can
> read the docs for Python's ConfigParser module.
Wow, I forgot all about this cool substitution stuff! I wonder if
this is in the Book...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
Branko Čibej wrote:
> You can't expand environment variables in the config files, but you can
> do something better. Try something like this in your servers file:
>
> [DEFAULT]
> certs-path = C:\Documents and Settings\tobias\Application Data\Subversion\certs
Yikes - this is the problem. It's long, ugly and hard to type. You also
need double backslashes or single forward slashes so you cannot do
copy+paste without (minor) manual intervention. This is soo much easier:
/home/tori/.subversion
It would be really nice to have a pre-defined variable such as
%(user-config-dir) or something, but now I'm just dreaming.
> then later on you can use variable replacement:
>
> [global]
> ssl-authorities-file = %(certs-path)s\CAcert.pem
Cool!
> The README.txt file in the config dir explains this syntax; or, you can
> read the docs for Python's ConfigParser module.
I'll do that, thanks!
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Branko Čibej <br...@xbc.nu>.
Tobias Ringström wrote:
> brane@xbc.nu wrote:
>
>> C:\>cd "%APPDATA%\Subversion"
>
>
> Thanks for the tip! Is it possible to use this syntax in the servers
> file as well? Just curious (and not in front of the Win2k machine
> right now). I like to put the CA cert in that directory too to keep
> everything in one place.
You can't expand environment variables in the config files, but you can
do something better. Try something like this in your servers file:
[DEFAULT]
certs-path = C:\Documents and Settings\tobias\Application Data\Subversion\certs
then later on you can use variable replacement:
[global]
ssl-authorities-file = %(certs-path)s\CAcert.pem
The README.txt file in the config dir explains this syntax; or, you can
read the docs for Python's ConfigParser module.
--
Brane Čibej <br...@xbc.nu> http://www.xbc.nu/brane/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
brane@xbc.nu wrote:
> Tobias Ringström wrote:
>
>>This will cure my largest personal problem with Subversion. It's a
>>real pain in the butt to find the configuration files on Windows
>
> What? Is it so hard to type
It is not the actual typing that is a problem, it's knowing what to
type. :-)
> C:\>cd "%APPDATA%\Subversion"
Thanks for the tip! Is it possible to use this syntax in the servers
file as well? Just curious (and not in front of the Win2k machine right
now). I like to put the CA cert in that directory too to keep everything
in one place.
> How much harder is this than the unixish "cd ~/.subversion"? BTW, you
> can even type "%APPDATA%\Subversion" into Explorer's address bar, and
> it'll Just Work.
Can you say "tab completion"? :-)
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by br...@xbc.nu.
Tobias Ringström wrote:
> This will cure my largest personal problem with Subversion. It's a
> real pain in the butt to find the configuration files on Windows
What? Is it so hard to type
C:\>cd "%APPDATA%\Subversion"
How much harder is this than the unixish "cd ~/.subversion"? BTW, you
can even type "%APPDATA%\Subversion" into Explorer's address bar, and
it'll Just Work.
--
Brane Čibej <br...@xbc.nu> http://www.xbc.nu/brane/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
Brian Mathis wrote:
> Yes, when dealing with paypsl.com you need this level of security, but
> we're not talking about credit cards and bank statements here.
IMHO, the only problem is that you have to edit the servers file to get
the security, and you have to save the CA cert somehow.
I have a draft patch (which I sent to David Waite for a review) that
expands the prompt to get when you make a connection to a host with a
cert that cannot be automatically verified. Right now it's just a y/N,
but with the patch you can choose to thust the cert permanently. If you
do that you will never see that question again for the same cert.
This is also planned for 0.30.
This will cure my largest personal problem with Subversion. It's a real
pain in the butt to find the configuration files on Windows (which I
occationally have to use), and then to download and store the cert and
type the path to the CA, especially if you have more than one client of
course.
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Brian Mathis <bm...@directedge.com>.
Yes, when dealing with paypsl.com you need this level of security, but
we're not talking about credit cards and bank statements here.
If I'm a sysadmin who runs both the svn server and supports the clients,
and know what conditions it's being used and when, there's a very low
likelyhood someone is going to target my humble svn server to attack and
overwrite my keys, or hijaak the network, or whatever.
If you want to be a security snob, that's fine - and I usually agree
with that level of security. But you have to realize that "security" is
not all or nothing, there are different degrees of it.
To summarize my point:
-. You really REALLY should be using fully authenticated certificates
-. You should not bypass security measures if possible
-. SSL is not completely useless if you don't use signed keys, it just
has a large benefit/safety reduced.
-. Some encryption is better than nothing at all
Security If you don't do it all
is stupid |---A-----------|-----M--------U| it's not worth doing
I hope that line comes through:
U: Clearly your position on the matter
A: The level you seem to think I'm arguing to
M: The level I actually am arguing to.
Mukund wrote:
> On Mon, Sep 08, 2003 at 05:00:26PM -0400, Brian Mathis wrote:
>>Well, not the *very* objective, but one of them. You'll still get
>>encrypted traffic on the wire. Yes, a man in the middle attack is still
>>possible, but that takes much more effort than simply setting up tcpdump.
>
> Encryption and authenticity go hand in hand. You implement authentication
> first, then encryption. There is no such thing as SSL without proving
> authenticity. Encrypted traffic without authenticity is meaningless. You
> can just as well send your credit card details to amaz00n.com instead of
> amazon.com without authentication, although your traffic is encrypted.
>
> I'll get into this conversation when you are past setting up snake oil
> security. I apologize if I sound rude.. not my intention. Read up.
--
Brian Mathis
http://www.directedge.com/b/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Mukund <mu...@tessna.com>.
On Mon, Sep 08, 2003 at 10:02:25PM +0100, Mukund wrote:
> authenticity. Encrypted traffic without authenticity is meaningless. You
> can just as well send your credit card details to amaz00n.com instead of
> amazon.com without authentication, although your traffic is encrypted.
Actually a better example would be:
You can just as well send your credit card details to your network
administrator instead of amazon.com without authentication, although your
traffic is encrypted.
:-)
--
Mukund
The very powerful and the very stupid have one thing in common. Instead of
altering their views to fit the facts, they alter the facts to fit their
views ... which can be very uncomfortable if you happen to be one of the
facts that needs altering.
-- Doctor Who, "Face of Evil"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Mukund <mu...@tessna.com>.
On Mon, Sep 08, 2003 at 05:00:26PM -0400, Brian Mathis wrote:
> Well, not the *very* objective, but one of them. You'll still get
> encrypted traffic on the wire. Yes, a man in the middle attack is still
> possible, but that takes much more effort than simply setting up tcpdump.
Encryption and authenticity go hand in hand. You implement authentication
first, then encryption. There is no such thing as SSL without proving
authenticity. Encrypted traffic without authenticity is meaningless. You
can just as well send your credit card details to amaz00n.com instead of
amazon.com without authentication, although your traffic is encrypted.
I'll get into this conversation when you are past setting up snake oil
security. I apologize if I sound rude.. not my intention. Read up.
--
Mukund
The very powerful and the very stupid have one thing in common. Instead of
altering their views to fit the facts, they alter the facts to fit their
views ... which can be very uncomfortable if you happen to be one of the
facts that needs altering.
-- Doctor Who, "Face of Evil"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Brian Mathis <bm...@directedge.com>.
Mukund wrote:
> On Mon, Sep 08, 2003 at 03:33:36PM -0500, Doug Dicks wrote:
[...]
>>I can get around this by adding "ssl-ignore-unknown-ca = true" to my
>>servers file, but would like to avoid this if possible.
>
> Please avoid it, or you will defeat the very objective of using SSL/TLS.
>
Well, not the *very* objective, but one of them. You'll still get
encrypted traffic on the wire. Yes, a man in the middle attack is still
possible, but that takes much more effort than simply setting up tcpdump.
--
Brian Mathis
http://www.directedge.com/b/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: 0.29.0 - PKCS12 Certificates Only?
Posted by Mukund <mu...@tessna.com>.
On Mon, Sep 08, 2003 at 03:33:36PM -0500, Doug Dicks wrote:
>
> This is now broke and I get prompted to confirm my server's certificate
> every time. I assume this is due to the following change from the
> release notes for .29:
The server CA certificate files (ssl-authority-files) are still PEM
encoded. It is now seperated to be one certificate per file. The option
is now called 'ssl-authority-files'.
If your server certificate is signed by Equifax, you will have to get
their CA certificate and use that with the 'ssl-authority-files' option.
The PKCS12 change is for client certificates only, used during
SSL client-authentication.
> I've been reading the various web pages returned by Google on pkcs12,
> but am still at a loss for what to do about it. I've tried several
> different ways to convert the PEM to PKCS12, but with no success.
To convert your PEM-encoded client-certificate (client-1.crt) and key
(client-1.key) pair to PKCS12 using the openssl utility, do:
openssl pkcs12 -export -in client-1.crt -inkey client-1.key -out client-1.p12 -name "Client certificate of Fubar"
You can read more about PKCS12 here:
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html
> I can get around this by adding "ssl-ignore-unknown-ca = true" to my
> servers file, but would like to avoid this if possible.
Please avoid it, or you will defeat the very objective of using SSL/TLS.
--
Mukund
The very powerful and the very stupid have one thing in common. Instead of
altering their views to fit the facts, they alter the facts to fit their
views ... which can be very uncomfortable if you happen to be one of the
facts that needs altering.
-- Doctor Who, "Face of Evil"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org