On Thu, Feb 16, 2017 at 06:52:57PM -0500, Adam Jensen wrote:
> On Thu, 16 Feb 2017 14:03:57 -0800
> Konstantin Olchanski <[log in to unmask]> wrote:
> [snip]
> > For secure access, you must use passwords (unless you export read-only repo)
> > and to have passwords, you must use encrypted connection (https). Simplest
> > https setup with password is through apache httpd.
> 
> svnserve has password based access control, and data-stream encryption is available through SASL.
> 

I will bite. I know apache httpd https and password protection are considered secure. I do not
know such a thing about svnserve (with or without SASL, which is just a layer on top of https,
the best I can tell).

In other words, is there anybody who would vouch for the security of bare svnserve (with SASL or whatever)?

For apache httpd and with https (SSL/TLS) there is a database of attacks, exploits and weaknesses
and solutions to them, security bulletins from respected vendors stating that all known
attacks and weaknesses are resolved, automatic tools to check for bad security configuration
(ssllabs scanner). Is there anything like this for svnserve? Even one CVE? No? Then it is secure
because it is obscure?

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada