From owner-freebsd-questions@FreeBSD.ORG Fri Feb 6 16:58:03 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0056106566B for ; Fri, 6 Feb 2009 16:58:03 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.freebsd.org (Postfix) with ESMTP id E96D98FC1C for ; Fri, 6 Feb 2009 16:58:02 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from phenom.cordula.ws (phenom [192.168.254.60]) by fw.farid-hajji.net (Postfix) with ESMTP id CCFC2326F7; Fri, 6 Feb 2009 17:58:00 +0100 (CET) Date: Fri, 6 Feb 2009 17:58:00 +0100 From: cpghost To: Giorgos Keramidas Message-ID: <20090206165800.GB1444@phenom.cordula.ws> References: <4989B239.9090504@optiksecurite.com> <878wolpydl.fsf@kobe.laptop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <878wolpydl.fsf@kobe.laptop> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: "freebsd-questions@freebsd.org" Subject: Re: OT: SVN checkout checksumming X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 16:58:03 -0000 On Thu, Feb 05, 2009 at 01:37:26AM +0200, Giorgos Keramidas wrote: > On Wed, 04 Feb 2009 10:20:25 -0500, FreeBSD wrote: > > Hi everyone, > > > > I have asked this question on the svnforum.org and didn't got a good > > answer, so I try it here. > > > > I want to use SVN to automate the update process of a custom > > application. So, I'm planning to indicate to every PC to update > > periodically to a specific branch of the repository. The problem is > > that I need to be sure the files where not corrupted during the > > transfer. So, I'm planning to generate the hash (SHA or MD5, doesn't > > really matters) of every file downloaded by SVN on the client. For > > this to work, I need to compare the hashes with their server-side > > equivalent. I looked at the post-commit hooks and it looks pretty > > interesting but is anyone doing something similar? How are you > > creating the file containing the hash of the committed file? > > Let's assume for a moment that you install a post-commit hook that > generates a SHA-256 checksum of all the files in the latest repo > revision on the svn server. > > For the sake of simplicity, let's assume that this file is a simple, > plain text file that is named db/revs/NUMBER.sha256 where 'NUMBER' is > the revision number you are check-summing. > > How are you going to *safely* transmit those SHA-256 checksums to the > client on 'svn checkout'? Well, sorry to bring this back up, but again: how about signing NUMBER.sha256 with a GnuPG private key belonging to the FreeBSD Project? If there's a way to *safely* get the corresponding public key, checking the signature of the NUMBER.sha256 files would be trivial. This doesn't solve the problem entirely, but it would alleviate it somewhat (it's easier to get the GnuPG Public Key *once* over a secure channel when you have access to it, e.g. when traveling abroad etc... than having to rely everytime on a secure channel for the SVN updates (which may not always be available due to intrusive MITM)). -cpghost. -- Cordula's Web. http://www.cordula.ws/