Help for adding a privacy prompt prior to checkout execution

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Help for adding a privacy prompt prior to checkout execution

Bob Zhu
Hi there devs@subversion,

My name is Bob Zhu and I am the manager of the Configuration Management
team here at Fortinet Technologies.
Upper management has requested a privay policy implementation on SVN:

We need to ensure all our devs who are checking out source from SVN is
prompted with a privacy policy that they must agree to before the
checkout can continue.

We understand that out of the box, SVN cannot do this and there is no
pre-checkout hook that we can write.

We are out of solutions hence we are requesting your assistance with
this matter.
We are a Security company so this is something we take seriously.

If there is any solutions or suggestions you can provide on this, it
would be greatly appreciated!

Sincerely,
Bob Zhu
Fortinet Technologies Inc.



***  Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***


Reply | Threaded
Open this post in threaded view
|

RE: Help for adding a privacy prompt prior to checkout execution

Markus Schaber
Hi, Bob,


From: Bob Zhu [mailto:[hidden email]]
> We need to ensure all our devs who are checking out source from SVN is
> prompted with a privacy policy that they must agree to before the checkout
> can continue.

Any such kind of policy is implemented client-side, and thus can always be circumvented.

May I suggest a different approach: Protect your SVN repository behind authentication (either username/password, or ssh, or client certificates). Then only allow access for those users once they have signed the privacy policy on a different channel (e. G. on paper, or via a web form, etc... - the web form way can be easily automated...)



And make sure that the policy does not allow to pass the contents of a working copy to others which did not sign the agreement. :-)




Best regards

Markus Schaber

CODESYS® a trademark of 3S-Smart Software Solutions GmbH

Inspiring Automation Solutions

3S-Smart Software Solutions GmbH
Dipl.-Inf. Markus Schaber | Product Development Core Technology
Memminger Str. 151 | 87439 Kempten | Germany
Tel. +49-831-54031-979 | Fax +49-831-54031-50

E-Mail: [hidden email] | Web: http://www.codesys.com | CODESYS store: http://store.codesys.com
CODESYS forum: http://forum.codesys.com

Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received
this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure
or distribution of the material in this e-mail is strictly forbidden.


Reply | Threaded
Open this post in threaded view
|

Re: Help for adding a privacy prompt prior to checkout execution

Bob Zhu
Hi Markus,

Thank you for quick response and your suggestions.

Currently right now, our employess can only access SVN through
authentication with our LDAP server.
So authentication wise, we are fine but they upper management want's a
bit more.
Unforunately, the other suggestions you have made have been shot down
and doesn't fully meet upper management's requirements.

We definitely don't wan to do anything client side since that would be a
nightmare to manage afterwards.
Upper management essentially wants this reminder everytime they do a
checkout.  Almost like a disclaimer that they have to agree to before
continuing.

Are there any other suggestions from a server side perspective that can
done?  Or has anyone done something like this before with SVN?

Thanks!
Bob

On 08/31/2017 11:38 PM, Markus Schaber wrote:

> Hi, Bob,
>
>
> From: Bob Zhu [mailto:[hidden email]]
>> We need to ensure all our devs who are checking out source from SVN is
>> prompted with a privacy policy that they must agree to before the checkout
>> can continue.
> Any such kind of policy is implemented client-side, and thus can always be circumvented.
>
> May I suggest a different approach: Protect your SVN repository behind authentication (either username/password, or ssh, or client certificates). Then only allow access for those users once they have signed the privacy policy on a different channel (e. G. on paper, or via a web form, etc... - the web form way can be easily automated...)
>
>
>
> And make sure that the policy does not allow to pass the contents of a working copy to others which did not sign the agreement. :-)
>
>
>
>
> Best regards
>
> Markus Schaber
>
> CODESYS® a trademark of 3S-Smart Software Solutions GmbH
>
> Inspiring Automation Solutions
>
> 3S-Smart Software Solutions GmbH
> Dipl.-Inf. Markus Schaber | Product Development Core Technology
> Memminger Str. 151 | 87439 Kempten | Germany
> Tel. +49-831-54031-979 | Fax +49-831-54031-50
>
> E-Mail: [hidden email] | Web: http://www.codesys.com | CODESYS store: http://store.codesys.com
> CODESYS forum: http://forum.codesys.com
>
> Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915
>
> This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received
> this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure
> or distribution of the material in this e-mail is strictly forbidden.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Help for adding a privacy prompt prior to checkout execution

Daniel Shahaf-5
Bob Zhu wrote on Fri, Sep 01, 2017 at 10:13:39 -0700:
> We definitely don't wan to do anything client side since that would be a
> nightmare to manage afterwards.
> Upper management essentially wants this reminder everytime they do a
> checkout.  Almost like a disclaimer that they have to agree to before
> continuing.
>
> Are there any other suggestions from a server side perspective that can
> done?  Or has anyone done something like this before with SVN?

You could implement some sort of POP-before-SMTP thing where employees'
password does not work on checkout operations unless they visited a
portal with a "Yes I will obey the privacy policy" click-through button
in the preceding five minutes.

Maybe there already is a SASL plugin that does that…
Reply | Threaded
Open this post in threaded view
|

RE: Help for adding a privacy prompt prior to checkout execution

Markus Schaber
In reply to this post by Bob Zhu
Hi, Bob,

From: Bob Zhu [mailto:[hidden email]]

> We definitely don't wan to do anything client side since that would be a
> nightmare to manage afterwards.
> Upper management essentially wants this reminder everytime they do a
> checkout.  Almost like a disclaimer that they have to agree to before
> continuing.

To be honest, I think your upper management should re-think this detail of their decision.

First, anchoring everything at the "checkout" operation is a bit too specific - what about operations like "export", "update" or "switch" which can also bring in new data which has not been in the local working copy before?

And second, having a high hurdle before a "checkout" will lead to teammates exchanging working copies directly, keeping zip-files of those "on stock" in case they "need it again later", and other attempts to circumvent it.

One possible solution I could think of is that they need to use a different user name for that specific repository - e. G. instead of "foobar", they need to enter "foobar-I-know-it-is-confidental" using the same password as for their normal account.

Another possibility would be to hide the server behind a proxy, and the proxy requires a separate proxy authentication.

But none of them are implemented "out of the box" with stock SVN.

Best regards

Markus Schaber

CODESYS® a trademark of 3S-Smart Software Solutions GmbH

Inspiring Automation Solutions

3S-Smart Software Solutions GmbH
Dipl.-Inf. Markus Schaber | Product Development Core Technology
Memminger Str. 151 | 87439 Kempten | Germany
Tel. +49-831-54031-979 | Fax +49-831-54031-50

E-Mail: [hidden email] | Web: http://www.codesys.com | CODESYS store: http://store.codesys.com
CODESYS forum: http://forum.codesys.com

Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received
this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure
or distribution of the material in this e-mail is strictly forbidden.