SVN authorization

Craig Treleaven ctreleaven at macports.org
Thu Aug 6 08:26:25 PDT 2015


> On Aug 6, 2015, at 9:44 AM, Rainer Müller <raimue at macports.org> wrote:
> 
> Hello Craig,
> 
> On 2015-08-06 14:52, Craig Treleaven wrote:
>>> On Aug 5, 2015, at 11:20 PM, Mihai Moldovan <ionic at macports.org> wrote:
>>> 
>>> On 06.08.2015 02:53 AM, Craig Treleaven wrote:
>>>> I vaguely recall running an svn command to add MacPorts as a trusted server (or some-such) but I don’t recall the details.  
>>>> 
>>>> Could someone point me in the right direction?
>>> 
>>> Refer to https://trac.macports.org/wiki/howto/SyncingWithSVN and specifically to
>>> Step 3 under "Configuration”.
>> 
>> Thanks for the pointer.  As I read the page, I only need to do the second part--storing the certificate file in [blah]/.subversion/auth/svn.ssl.server.  However, trying to selfupdate, I still get:
>> 
>> --->  Updating the ports tree
>> Synchronizing local ports tree from file:///Users/craigtreleaven/mp/ports
>> Updating '.':
>> svn: E175002: Unable to connect to a repository at URL 'https://svn.macports.org/repository/macports/trunk/dports'
>> svn: E175002: OPTIONS of 'https://svn.macports.org/repository/macports/trunk/dports': Server certificate verification failed: issuer is not trusted (https://svn.macports.org)
>> Command failed: /usr/bin/svn update --non-interactive /Users/craigtreleaven/mp/ports
>> Exit code: 1
>> 
>> 
>> I wonder if it is the ownership/permissions of the certificate file.  The wiki page doesn’t say so, but I had to use ‘sudo’ to create the directory and write the certificate file to it. 
>> 
>> $ sudo ls -al /opt/local/var/macports/home/.subversion/auth/svn.ssl.server
>> total 8
>> drwxr-xr-x  3 root  admin   102  6 Aug 08:27 .
>> drwx------  6 root  admin   204  5 Aug 20:19 ..
>> -rw-r--r--  1 root  admin  1806  6 Aug 08:27 9368d05e066fecedad33aa815bbaf7cc
> 
> Only root will be able to read this file (due to permissions on "..").
> MacPorts automatically runs the update command as the user owning the
> Subversion working copy, so you need to configure it for that user. The
> instructions in the wiki assume the ports tree will be owned by the
> macports user.
> 
>> Finally, I checked a backup of my 10.6 volume and I didn’t even have a '/opt/local/var/macports/home/.subversion/auth/svn.ssl.server’ directory?
> 
> Back then, /usr/bin/svn was still able to verify SSL certificates for
> HTTPS. Apple broke this with OS X 10.7 Lion and never fixed it.
> /usr/bin/svn does not have any list of trusted authorities and
> therefore always display this certificate warning requiring manual
> acknowledgement to continue.
> 
> Side note: if you install the subversion port and either curl-ca-bundle
> or certsync, certificate verification for HTTPS should just work using
> /opt/local/bin/svn.
> 
> I prefer to keep the ports tree in my home directory, where I also keep
> everything else I am working on. As MacPorts automatically switches to
> the user owning the ports tree, this works just fine and also uses my
> configuration of Subversion. But I need to ensure that the macports
> user is able to read the Portfiles (and accompanying patches). My setup
> is as follows:
> 
> In my /opt/local/etc/macports/sources.conf I have the following entry:
> file:///Users/raimue/src/macports/trunk/dports/ [default]
> 
> The permissions on this path are the following, especially I need the
> x-bit to allow any user to traverse through my home directory:
>  drwxr-xr-x    6 root    admin   204 Feb 21 21:32 /Users
>  drwxr-xr-x+ 227 raimue  staff  7718 Aug  6 15:26 /Users/raimue
>   0: group:everyone deny delete
>  drwx--x--x  117 raimue  staff  3978 Jul 27 10:54 /Users/raimue/src
>  drwxr-xr-x   23 raimue  staff   782 Jun  7 13:03 /Users/raimue/src/macports
>  drwxr-xr-x+  12 raimue  staff   408 Mar  7 16:21 /Users/raimue/src/macports/trunk
>   0: group:everyone allow list,search,file_inherit,directory_inherit
>  drwxr-xr-x+  52 raimue  staff  1768 Aug  5 15:14 /Users/raimue/src/macports/trunk/dports
>   0: group:everyone allow list,search,file_inherit,directory_inherit
> 
> These additional ACL entries make sure that the macports user is able
> to read Portfiles in the ports tree (not sure why I have that one on
> $HOME itself, is it default?). I could have made them less permissive,
> but the tree should not contain anything private anyway. They ensure
> that all newly created files get the correct permissions. Only when
> moving files from somewhere else into the ports tree I need to be more
> cautious and apply the ACL rules once again.
> 
> The command to set these ACLs would be:
> chmod -R +a "group:everyone allow read,execute,list,search,file_inherit,directory_inherit" <DIR>
> 
> Hopefully that helps you with your own setup.

Thanks Rainer!  I installed subversion, logged out and back in to clear the hash, and then needed to run svn upgrade in my ports directory.  That cleared the remaining hurdles and my tree is now updating!

Thanks again.

Craig


More information about the macports-dev mailing list