In my research, I found some concern around deploying an online PHP application while leaving its ".hg" folder or ".svn" folders in place on the production server. Unfortunately, I was not able to find a clear explanation as to why this is a concern. I would like to better understand this security risk.
It seems to me that you don't want these folders visible any more than you want the contents of the PHP files displayed. Wouldn't the solution be to configure the web server to not serve the ".hg" directory? Does the security concern run deeper than this? I really don't know. Your assistance with this is greatly appreciated!
If it is helpful, the reason I want to keep version control on the server's production repository is the following:
- Faster deployment from Staging (vs. doing a fresh copy per deploy)
- Easy and fast rollback capability
- The ability to verify that production remains unchanged (via
hg st
)
Alternatives are welcome.
Thanks!