svn:externals can be great for sucking in central libraries or IP into a project, so that they can be kept in one location accessible for all.
But if I'm asking people to external tags of common IP (so it doesn't change on them) it opens the possibility of them inadvertently committing changes to the tag.
How can I make svn:externals read-only? It's acceptable if there is some extra argument or some way of making the external that we can add to the procedure for everyone to follow.
Make the external repositories read-only to everyone except their maintainers.
svn:externals just makes checkouts.
If you want to prevent some people from committing to something they are not supposed to be committing to, you can use repository-level access-control or path-based authorization.
If you do not trust your developers to know what they are changing and committing, you need to stop them from committing to trunk anyway, and have integration go through a gatekeeper, either human or programmatic.
Anyway, people should not normally have to modify dependences. If they do, you have serious architecture problems.
Actually, TortoiseSVN detects you are trying to commit to a tag through the commit hook, and warns the user of this, which basically satisfies my requirement for a speed bump. So we're already good.