Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 6 Feb 2009 17:58:00 +0100
From:      cpghost <>
To:        Giorgos Keramidas <>
Cc:        "" <>
Subject:   Re: OT: SVN checkout checksumming
Message-ID:  <>
In-Reply-To: <878wolpydl.fsf@kobe.laptop>
References:  <> <878wolpydl.fsf@kobe.laptop>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, Feb 05, 2009 at 01:37:26AM +0200, Giorgos Keramidas wrote:
> On Wed, 04 Feb 2009 10:20:25 -0500, FreeBSD <> wrote:
> > Hi everyone,
> >
> > I have asked this question on the and didn't got a good
> > answer, so I try it here.
> >
> > I want to use SVN to automate the update process of a custom
> > application. So, I'm planning to indicate to every PC to update
> > periodically to a specific branch of the repository. The problem is
> > that I need to be sure the files where not corrupted during the
> > transfer. So, I'm planning to generate the hash (SHA or MD5, doesn't
> > really matters) of every file downloaded by SVN on the client. For
> > this to work, I need to compare the hashes with their server-side
> > equivalent. I looked at the post-commit hooks and it looks pretty
> > interesting but is anyone doing something similar? How are you
> > creating the file containing the hash of the committed file?
> Let's assume for a moment that you install a post-commit hook that
> generates a SHA-256 checksum of all the files in the latest repo
> revision on the svn server.
> For the sake of simplicity, let's assume that this file is a simple,
> plain text file that is named db/revs/NUMBER.sha256 where 'NUMBER' is
> the revision number you are check-summing.
> How are you going to *safely* transmit those SHA-256 checksums to the
> client on 'svn checkout'?

Well, sorry to bring this back up, but again: how about signing
NUMBER.sha256 with a GnuPG private key belonging to the FreeBSD
Project? If there's a way to *safely* get the corresponding
public key, checking the signature of the NUMBER.sha256 files
would be trivial.

This doesn't solve the problem entirely, but it would alleviate
it somewhat (it's easier to get the GnuPG Public Key *once* over
a secure channel when you have access to it, e.g. when traveling
abroad etc... than having to rely everytime on a secure channel
for the SVN updates (which may not always be available due to
intrusive MITM)).


Cordula's Web.

Want to link to this message? Use this URL: <>