Table of Contents
A Subversion repository can be accessed simultaneously by
clients running on the same machine on which the repository
resides using the file:/// method. But the
typical Subversion setup involves a single server machine being
accessed from clients on computers all over the office—or,
perhaps, all over the world.
This section describes how to get your Subversion repository exposed outside its host machine for use by remote clients. We will cover Subversion's currently available server mechanisms, discussing the configuration and use of each. After reading this section, you should be able to decide which networking setup is right for your needs, and understand how to enable such a setup on your host computer.
Subversion was designed with an abstract network layer. This means that a repository can be programmatically accessed by any sort of server process, and the client “repository access” API allows programmers to write plugins that speak relevant network protocols. In theory, Subversion can use an infinite number of network implementations. In practice, there are only two servers at the time of writing.
Apache is an extremely popular webserver; using the mod_dav_svn module, Apache can access a repository and make it available to clients via the WebDAV/DeltaV protocol, which is an extension of HTTP. In the other corner is svnserve: a small, standalone server program that speaks a custom protocol with clients. Table 6.1, “Network Server Comparison” presents a comparison of the two servers.
Table 6.1. Network Server Comparison
| Feature | Apache + mod_dav_svn | svnserve |
|---|---|---|
| Authentication options | HTTP(S) basic auth, X.509 certificates, LDAP, NTLM, or any other mechanism available to Apache httpd | CRAM-MD5 or SSH |
| User account options | private 'users' file | private 'users' file, or existing system (SSH) accounts |
| Authorization options | read/write access can be granted over whole repository, or specified per-path. | read/write access can be granted over whole repository, or specified per-path. |
| Encryption | via optional SSL | via optional SSH tunnel |
| Logging | full Apache logs of each HTTP request, with optional “high-level” logging of general client operations | no logging |
| Interoperability | partially usable by other WebDAV clients | only talks to svn clients |
| Web viewing | limited built-in support, or via 3rd-party tools such as ViewVC | only via 3rd-party tools such as ViewVC |
| Speed | somewhat slower | somewhat faster |
| Initial setup | somewhat complex | fairly simple |
Install and configure and standard Apache 2.0 server, then activate a special subversion-server module. Clients speak to server via HTTP or HTTPS, using the WebDAV protocol.
Allows Subversion to use any of the numerous authentication systems already integrated with Apache.
No need to create system accounts on server.
Full Apache logging.
Network traffic can be encrypted via SSL.
HTTP(S) can usually go through corporate firewalls.
Built-in repository browsing via web browser.
Repository can be mounted as a network drive for transparent version control. (See the section called “Autoversioning”.)
Noticeably slower than svnserve, because HTTP is a stateless protocol and requires more turnarounds.
Initial setup can be complex.
A lightweight serve process which can run either as a persistent daemon, or as something automatically launched by inetd when necessary. Clients authenticate via CRAM-MD5 algorithm and speak a custom network protocol.
Quick and easy to set up.
Network protocol is stateful and noticeably faster than WebDAV.
No need to create system accounts on server.
Password is not passed over the network.
Network protocol is not encrypted.
Only one choice of authentication method.
Password is stored in the clear on the server.
No logging of any kind, not even errors.
Each client uses an existing SSH (system) account to spawn a temporary svnserve process (running as themselves) on the server machine. The svnserve process accesses the repository, communicates with the client over the SSH tunnel, then dies when the SSH connection is closed. (There is no long-running svnserve process.)
Network protocol is stateful and noticeably faster than WebDAV.
You can take advantage of existing ssh accounts and user infrastructure.
All network traffic is encrypted.
Only one choice of authentication method.
No logging of any kind, not even errors.
Requires users to be in same system group, or use a shared ssh key.
Can lead to file permissions problems.
So, which server should you use? Which is best?
Obviously, there's no right answer to that question. Every team has different needs, and the different servers all represent different sets of tradeoffs. The Subversion project itself doesn't endorse one server or another, or consider either server more “official” than another.
In general, the authors of this book recommend a vanilla svnserve installation for small teams just trying to get started with a Subversion server; it's the simplest to set up, and has the fewest maintenance issues. Remember, you can always switch to a more complex server deployment as your needs change.
Here are some general recommendations, based on years of supporting users:
If you're trying to set up the simplest possible server for your group, then a vanilla svnserve installation is the easiest, fastest route. Note, however, that your repository data will be transmitted in the clear over the network. If your deployment is entirely within your company's LAN or VPN, this isn't an issue. If the repository is exposed to the wide-open internet, then you might want to make sure the repository's contents aren't sensitive (e.g. it contains only open-source code.)
If you need to integrate with existing identity systems (LDAP, Active Directory, NTLM, X.509, etc.), then an Apache-based server is your only real option. Similarly, if you absolutely need server-side logs of either server errors or client activities, then an Apache-based server is required.
If you've decided to use either Apache or stock
svnserve, create a
single svn user on your system and run
the server process as that user. Be sure to make the
repository directory wholly owned by
the svn user as well. From a security
point of view, this keeps the repository data nicely
siloed and protected by operating system filesystem
permissions, changeable by only the Subversion server
process itself.
If you have an existing infrastructure heavily based on SSH accounts, and if your users already have system accounts on your server machine, then it makes sense to deploy an svnserve-over-ssh solution. Otherwise, we don't widely recommend this option to the public. It's generally considered safer to have your users access the repository via (imaginary) accounts managed by svnserve or Apache, rather than by full-blown system accounts. If your deep desire for encrypted communication still draws you to this option, we recommend using Apache with SSL instead.
Do not be seduced by the simple
idea of having all of your users access a repository
directly via file:/// URLs. Even if
the repository is readily available to everyone via
network share, this is a bad idea. It removes any layers
of protection between the users and the repository: users
can accidentally (or intentionally) corrupt the repository
database, it becomes hard to take the repository offline
for inspection or upgrade, and it can lead to a mess of
file-permissions problems (see
the section called “Supporting Multiple Repository Access Methods”.) Note
that this is also one of the reasons we warn against
accessing repositories via svn+ssh://
URLs — from a security standpoint, it's effectively
the same as local users accessing
via file:///, and can entail all the
same problems if the administrator isn't careful.)