Time Savings vs. Security

Jeff Anderson jefferya at programmerq.net
Fri Jan 4 12:24:23 MST 2008

If you run an svn checkout on the production server, I don't see how
that is more insecure than plugging in a removable drive. Just do
svn+ssh and type the password when you do svn up. It will be a great
time saver.
If someone compromises your svn repo, you always have the option to not
do svn up on the server, as you will be able to see any unauthorized
changes in the history.
If someone compromises your production server, they will be able to do a
lot more to break your server, and the flash drive vs svn checkout
shouldn't be an issue at that point.

If it is the requirement of having your development network connected to
the internet that the management is skiddish about, just have one
machine that doesn't do nat between the development network and
everything else. Have it host your svn repo, and have it run **only**
ssh. On the outside, restrict it to only let logins from the server(s)
that will be doing the svn up. I think that the (very very low) security
risk in that setup will be a wonderful time saver for you, and
definitely worth it.

Jeff Anderson

Ken Snyder wrote:
> I am programming in a somewhat common security setup where the
> development network is not connected to outside networks.  There are
> only two ways to copy deployments to test and production: removable
> media and a copy script using a Linux server that pushes files from
> dev to production or production to dev.
> We developers would like to make our weekly deployments by simply
> having the production machines svn checkout and svn update from our
> svn release branch.  However, technically minded upper managers see
> such a network setup as too insecure.  The developers are interested
> in saving time as our weekly deployments span 25 to 50 files per week
> across several web applications.
> Is the time savings worth the security risk?
> - Ken Snyder
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://plug.org/pipermail/plug/attachments/20080104/a1a8acd4/attachment.bin 

More information about the PLUG mailing list