Connection establishment ------------------------ Some desirable extensions: * Implement the CRAM-MD5 mechanism, maybe. This is a username/password mechanism, but instead of transmitting the password over the network where anyone could sniff it, it uses challenges to establish that the client knows the password. By having a built-in CRAM-MD5 mechanism, we can disallow the PLAIN mechanism and ensure that passwords are never sent over the net in the clear using the svn protocol. (SRP would be even cooler, since it establishes a security layer; but SRP looks like it would require an awful lot of code.) It would be nice if the built-in CRAM-MD5 mechanism could be file-format compatible with the Cyrus SASL library's CRAM-MD5 mechanism. This would mean reading passwords from /etc/sasldb in the Cyrus format. Unfortunately, /etc/sasldb is not a plain text file format; it can be in Berkeley DB (of any vintage), gdbm, or ndbm format. So that's probably hopeless. * Allow optional linking with the Cyrus SASL library to support more advanced mechanisms like SRP, GSSAPI, and STARTTLS. Modify marshal.c to support security layers provided by these mechanisms. * In the absence of ACLs, it should be possible to at least configure the server so that the anonymous user has read but not write access to the repository. Errors ------ There are some cases where errors aren't reported properly. Operations like get-file and get-log don't have an opportunity to send some errors to the client because they send their responses as a stream of data items after the normal command response. Commands which receive a report and then drive an editor also don't have an opportunity to report errors to the client. Fixing these problems requires some protocol changes. Server Configuration -------------------- The server is pretty limited right now. The following options are good fodder for a server configuration file: * Address and port number to listen on, in daemon mode * Logical repository root (currently "-r" option), or more flexible mappings of URL to physical repository * Option to chroot * Allow or disallow anonymous authentication It has been suggested that the rsyncd configuration file format is a good match for our needs, so anyone implementing this task should take a good look at that before starting. Reusing the code from svn_config is also key. Security -------- There is no way to disable anonymous authentication. Fixing that will probably wait for a server configuration file. Port number ----------- ghudson is awaiting a port assignment from IANA. In the meantime the code uses a temporary port in the private range. Hook Scripts ------------ Hook scripts which output to stdout confuse svnserve in tunnel mode, resulting in a cryptic "malformed network data" error on the client (as well as a confused working directory, if it's a commit hook). svnserve should probably protect against this. On Unix, I would: * dup the stdout file descriptor * Set the duplicated file descriptor close-on-exec * Close stdout and reopen it pointed at /dev/null But all that would need to be translated into apr-ese.