On Thu, 2005-07-28 at 17:58, James Y Knight wrote:
If you use the fsfs storage mechanism for subversion, it is somewhat simpler to verify that the repository is not compromised. Each commit is represented as a separate file, and thus old commits are never modified. Only new files are appended to the directory. If you have a filesystem that allows "append-only" permissions on a directory, you can enforce this directly. Additionally, it is possible in your backup script to verify that only new files were added and nothing else changed.
Then at least you know how much you need to examine instead of having to treat the entire repository as possibly contaminated.
Would it buy us any additional piece of mind to checksum the transaction files as they're committed and store those checksums outside the repository?