Verifying a subversion checkout

Tue Feb 11 07:41:32 UTC 2014

On Tue, 11 Feb 2014 08:26+0100, C. P. Ghost wrote:

> Hello,
> 
> is there a way to automatically verify that the checkout
> of a random subversion revision of /usr/src hasn't been
> tampered with?
> 
> I'm worried about the possibility of

>   1/ an MitM attack while fetching the sources

HTTPS would be the best option, compared to pure SVN and HTTP access.

>   2/ changes to the local /usr/src for whatever reasons

Look into the svn status command. See svn --help status for all 
possible options. 

Otherwise, a complete new checkout would hopefully eliminate any 
wrongdoing.

Protecting, handholding and keeping your own local svn mirror updated 
might be another option.

> 2/ isn't so critical; there's always the possibility to check
> them from another machine, provided checksums were
> created immediately after the svn update. It's 1/ that's
> bothering me.
> 
> Or, asked differently, does SVN protocol support some
> kind of authentication that thwarts man-in-the-middle
> attacks?
> 
> Of course, at release points, we always have checksums
> for the ISO images. That's security-wise the only point
> where I'm sure that I'm running from genuine sources.
> It's what's in-between releases that I'm asking about.
> 
> Thanks,
> -cpghost.

-- 
+-------------------------------+------------------------------------+
| Vennlig hilsen,               | Best regards,                      |
| Trond Endrestøl,              | Trond Endrestøl,                   |
| IT-ansvarlig,                 | System administrator,              |
| Fagskolen Innlandet,          | Gjøvik Technical College, Norway,  |
| tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
| sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |
+-------------------------------+------------------------------------+