[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encrypted repository

From: Greg A. Woods
Subject: Re: Encrypted repository
Date: Tue, 12 Mar 2002 12:18:30 -0500 (EST)

[ On Tuesday, March 12, 2002 at 15:15:02 (+0100), address@hidden wrote: ]
> Subject: Encrypted repository
> I was wondering if there is any cvs extension out there that
> allows to have an encrypted repository without losing 
> all the cvs goodies (so not just checking in crypted stuff as
> binary) 

You'd be far better off using an encrypted filesystem.  CVS is not
designed as a security tool -- it has many limitations, some by design,
which would make it very hard to trust to have protected your data and
to keep it that way.  Client server applications are notoriously
difficult to design with integrated security, and their resulting size
and complexity makes implementation bugs a certainty.

Assuming you only need to protect the data when it's on media that's
more vulnerable than the running server, an encrypted filesystem is
perhaps your best choice (though if the server really is secure and it's
only backup media you're worried about, then encrypt only the latter).

In any case you must first analyse all the possible threats against your
code, the possible means of protecting it and how much each will cost
and how effective it will be, and then do a risk assessment to
understand which protective measures are worthwhile.  Even without
understanding the value of your code and without knowing what type of
threats you face in protecting it, I can almost guarantee to you that
developing an encryption feature for CVS will both cost more, and be
less effective, than almost any other possible mechanism.  It may even
be worse than doing nothing at all.  A risk assessment is not an easy
task, but it is an essential task any time you're about to venture out
on spending money on something that you cannot know will be effecitve
without comparing it to other options in the proper context.

                                                                Greg A. Woods

+1 416 218-0098;  <address@hidden>;  <address@hidden>;  <address@hidden>
Planix, Inc. <address@hidden>; VE3TCP; Secrets of the Weird <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]