[Bioperl-l] First cut svn repository [was Re: SVN and ...Re: Perltidy]
chris at bioteam.net
Thu Jun 28 00:08:25 EDT 2007
My understanding of "https+svn" is that it is actually WebDAV-over-
HTTP which means that not only would we need to light up a HTTPD
server on the developer box we'd also have to get a stable mod_dav
module installed (sometimes not trivial) and then we would have to
figure out how to handle the authentication bits. Right now with SSH
we use Unix group permissions to figure out who can write to what
repository -- WebDAV makes this a lot more complicated.
Forcing encryption over https will prevent someone from sniffing a
developer password which removes the main security issue. The next
problem is going to be integrating the DAV module with Linux PAM so
that existing usernames and passwords can be used, -OR- we have to
set up and maintain an entirely separate set of username and password
maps for each developer and each SVN project.
I'm not super concerned about this -- BioTeam runs svn internally and
we expose our SVN for employees both via WebDAV and SVN+SSH - it's
not that hard to set up.
My biggest concern really has to do with how much extra work this
will mean for the OBF sysadmin team. If there is an easy way to get a
stable Apache/DAV/SVN integration going with authentication coming
from Linux PAM then this is no big deal. If we have to manually
maintain separate authentication lists then it will be kind of a hassle.
Like Jason mentioned, the OBF currently segregates "stuff" onto three
different servers with three levels of security:
- dev.open-bio.org -- Developers only, SSH access only (main
sourcecode repository for OBF)
- portal.open-bio.org -- Websites, Wikis, Blogs, Mailing list servers
- code.open-bio.org -- "Disposable" anonymous access server that we
can easily burn/wipe/reinstall if it ever gets hacked
Everything else that Jason mentioned is fine and easy to set up (if
not already running):
- SVN+SSH for developers
- Anonymous SVN and Anonymous RSYNC for community access on
- svn2cvs for whomever wants it on code.open-bio.org
- web based SVN code browser installed on http://code.open-bio.org
On Jun 27, 2007, at 11:29 PM, Jason Stajich wrote:
> I think Chris D and I will need to confer a bit on https+svn. I
> don't know when we'll have a good chance to discuss everything. At
> some point this discussion is may need to be taken off bioperl and
> just the interested parties as we're delving into hardware geek land.
> The repository machine (dev) is a locked down machine meaning it
> only really runs ssh and not many servers include httpd. We have
> anonymous CVS (client and through httpd browsing) running on a
> separate machine (code) that has the info rsynced over every 10 or
> 15 minutes. The foundation websites and mailing lists run on a
> third machine (portal).
> If we decide to support https we'll need to spend a little time
> deciding how well we can keep it locked down - it will only be
> https not http for example and we may want to see about limiting
> ssh access to everyone if we migrate all OBF projects over to SVN
> and only support https.
> Again to re-iterate what I think we would do:
> - SVN read/write will live on 'dev', _WHEN_ we switch over no
> writes to the CVS repository. It will be available by ssh+svn and
> potentially by https+svn
> - SVN read-only will live on 'code', it will be accessible by http
> - CVS read-only will live on 'code', this will only be a sync from
> the SVN to the CVS. See http://svn2cvs.tigris.org/ for details
> As I tried to ask for in the past, would someone also illustrate
> the importance of why _WE_ need to switch to SVN on a wiki page on
> Bioperl so that when someone complains/asks about this in the
> future the arguments are already laid out. I am basically fine
> with it, but I don't honestly see a compelling reason beyond what
> has been mentioned wrt better integration in IDEs.
> On Jun 27, 2007, at 9:46 PM, George Hartzell wrote:
>> Chris Fields writes:
>>> Now how about a quick straw poll, what kind of access? svn+ssh is
>>> already available, but some (Aaron among them) have indicated they
>>> would like https as well (not sure how involved it would be to
>>> set up).
>> What we do here, in large part, depends on what our host machine
>> available to us.
>> Is there an apache instance that we can use? Maybe a separate one?
>> May someone among us configure it, or do we need to ask for help?
>> other words, does anyone have sudo?)
>> Is there some reason to not include http: (using Digest
>> so that passwords aren't passed in the clear?)? Maybe even go so far
>> as to ask why bother with https:, it's not like we need to transfer
>> any data encrypted....
>> Bioperl-l mailing list
>> Bioperl-l at lists.open-bio.org
> Jason Stajich
> jason at bioperl.org
More information about the Bioperl-l