tags:

views:

230

answers:

5
+2  Q: 

Where to manage the most sensitive content you have under version control?

Do any version control systems allow you to specify line level security restrictions rather than file level? I know it would be horrible to maintain. If I wanted to never allow certain strings into the database should I be looking into the notion of hooks and manage all the very sensitive information in that hook layer? How do hooks get replicated from system to system?

Update: Maybe the best way to manage this is to pgp encrypt the sensitive data and those who cannot decrypt it will be left in the dark. Any thoughts on that? Probably not a best practice from a security standpoint.

+1  A: 

Subversion doesn't allow it, and I don't think any others do.

Osama ALASSIRY  2009-06-07 17:45:35
+2  A: 

Perhaps you should separate out the worrisome strings, lines, and functions into a separate file (or better yet files). That way you can just manage the file(s) in question.

C. Ross  2009-06-07 17:47:59
I tend to agree but as version control systems go viral and distributed this management becomes a bit of an abortion.
ojblass  2009-06-08 03:20:07
I'm not sure I know what you mean by "an abortion". Also how are Version Control systems going viral?
C. Ross  2009-06-08 12:15:14
I'm guessing its the eggcorn: abberation/abortion
Cheekysoft  2009-06-08 15:34:18
+1  A: 

You could run separate repositories and maintain stricter controls on the repository with the sensitive data.

kbyrd  2009-06-07 18:18:51
as repositories go distributed I have trouble understanding what is exactly under my control. My choice of subversion was actually partially due to the fact that it is more centralized. Breaking it into another repository is likely the best option I have. I was thinking maybe pgp encrypt the sensitive information and allow it out wherever it needs to go.
ojblass  2009-06-08 03:22:31
+3  A: 

We had the same problem and decided to solve it by setting up a second repository.

This originated when I needed to store our configuration management files in version control, which contained sensitive information. It made sense to store the sensitive data from our applications in there as well.

We originally used svn externals and git submodules to include the sensitive data, but later found it less troublesome to just simlink to another location.

I also find it helpful to add the proper ignores to prevent the same files ever getting checked in to the development repository. Since doing this we have not had anyone accidentally check in anything sensitive.

It helps try an keep the sensitive information contained in a concise set of config files -- I would not spread it out, put it one place and guard that place.

csexton  2009-06-08 01:03:47
The ignrore option is truly a great tip thank you.
ojblass  2009-06-13 16:02:43
Great answer. It steps back from the OP's target of a solution to address the real concern, and offers an alternative.Actual question seems to relate more to control over different sets of data and allowing those into/out of certain repositories.Going further though, if you're required to version control sensitive information, then there should be a properly protected repository to allow this. Then you have one repository where you ignore the sensitive data (the development/public one), and one where you can push your changes of sensitive data.
maxwellb  2009-06-13 23:55:41
+2  A: 

Do any version control systems allow you to specify line level security restrictions rather than file level?

Does any Operating System allow you to specify line level security restrictions rather than file level? Probably only at the NSA (and friends).

You're best bet is to encrypt any file containing sensitive information before adding it to version control. This also protects it from accidental display, e.g. git diff while someone is looking over your shoulder.

pgs  2009-06-08 04:36:07

related questions

Best strategy to write hooks for subversion in Windows
Database Version Control
Version control PHP Web Project
Experience with SVN vs. Team Foundation Server?
Best SVN Client Ignore Pattern for VB.NET Solutions?
SVN merge merged extra stuff
What is your favorite web app deployment workflow with SVN?
Integrating Fogbugz with TortoiseSVN with no URL/Subversion backend
Version Control. Getting started...
ASP.NET Display SVN Revision Number
How do I create a branch in SVN?
What do the result codes in svn mean?
Could you recommend a good free project hosting website?
Federated (Synced) Subversion servers?
Mechanisms for tracking DB schema changes
What are the advantages of using SVN over CVS?
Use SVN Revision to label build in CCNET
Best subversion client for Mac OS
Why is Git better than Subversion?
ASP.NET, Visual Studio and Subversion - how to integrate?
Best Practice: Collaborative Environment, Bin Directory, SVN
How do I sync the SVN revision number with my ASP.NET web site?
Best Subversion clients for Windows Vista (64bit)
Good branch/merge tutorials for Tortoise SVN?
How can you get Subclipse in Aptana to work with the newest release of Subversion?