This documentation was written to describe the 1.7.x series of Apache™ Subversion®. If you are running a different version of Subversion, you are strongly encouraged to visit http://www.svnbook.com/ and instead consult the version of this documentation appropriate for your version of Subversion.
So, which server should you use? Which is best?
Obviously, there's no right answer to that question. Every team has different needs, and the different servers all represent different sets of trade-offs. The Subversion project itself doesn't endorse one server or another, or consider either server more “official” than another.
Here are some reasons why you might choose one deployment over another, as well as reasons you might not choose one.
Quick and easy to set up.
Network protocol is stateful and noticeably faster than WebDAV.
No need to create system accounts on server.
Password is not passed over the network.
By default, only one authentication method is available, the network protocol is not encrypted, and the server stores clear text passwords. (All these things can be changed by configuring SASL, but it's a bit more work to do.)
No advanced logging facilities.
No built-in web browsing. (You'd have to install a separate web server and repository browsing software to add this.)
The network protocol is stateful and noticeably faster than WebDAV.
You can take advantage of existing SSH accounts and user infrastructure.
All network traffic is encrypted.
Only one choice of authentication method is available.
No advanced logging facilities.
It requires users to be in the same system group, or use a shared SSH key.
If used improperly, it can lead to file permission problems.
It allows Subversion to use any of the numerous authentication systems already integrated with Apache.
There is no need to create system accounts on the server.
Full Apache logging is available.
Network traffic can be encrypted via SSL.
HTTP(S) can usually go through corporate firewalls.
Built-in repository browsing is available via web browser.
The repository can be mounted as a network drive for transparent version control (see the section called “Autoversioning”).
Noticeably slower than svnserve, because HTTP is a stateless protocol and requires more network turnarounds.
Initial setup can be complex.
In general, the authors of this book recommend a vanilla svnserve installation for small teams just trying to get started with a Subversion server; it's the simplest to set up and has the fewest maintenance issues. You can always switch to a more complex server deployment as your needs change.
Here are some general recommendations and tips, based on years of supporting users:
If you're trying to set up the simplest possible server for your group, a vanilla svnserve installation is the easiest, fastest route. Note, however, that your repository data will be transmitted in the clear over the network. If your deployment is entirely within your company's LAN or VPN, this isn't an issue. If the repository is exposed to the wide-open Internet, you might want to make sure that either the repository's contents aren't sensitive (e.g., it contains only open source code), or that you go the extra mile in configuring SASL to encrypt network communications.
If you need to integrate with existing legacy identity systems (LDAP, Active Directory, NTLM, X.509, etc.), you must use either the Apache-based server or svnserve configured with SASL.
If you've decided to use either Apache or stock svnserve, create a single svn user on your system and run the server process as that user. Be sure to make the repository directory wholly owned by the svn user as well. From a security point of view, this keeps the repository data nicely siloed and protected by operating system filesystem permissions, changeable by only the Subversion server process itself.
If you have an existing infrastructure that is heavily based on SSH accounts, and if your users already have system accounts on your server machine, it makes sense to deploy an svnserve-over-SSH solution. Otherwise, we don't widely recommend this option to the public. It's generally considered safer to have your users access the repository via (imaginary) accounts managed by svnserve or Apache, rather than by full-blown system accounts. If your deep desire for encrypted communication still draws you to this option, we recommend using Apache with SSL or svnserve with SASL encryption instead.
Do not be seduced by the simple
idea of having all of your users access a repository
directly via file://
URLs. Even if the
repository is readily available to everyone via a network
share, this is a bad idea. It removes any layers of
protection between the users and the repository: users can
accidentally (or intentionally) corrupt the repository
database, it becomes hard to take the repository offline
for inspection or upgrade, and it can lead to a mess of
file permission problems (see the section called “Supporting Multiple Repository Access Methods”). Note that this
is also one of the reasons we warn against accessing
repositories via svn+ssh://
URLs—from a security standpoint, it's effectively
the same as local users accessing via
file://
, and it can entail all the same
problems if the administrator isn't careful.