Virus in Subversion repository, what to do?
Imagine the following situation:
- A virus infec开发者_运维知识库ted file was commited into a Subversion repository.
- A Anti Virus scanner runs on the server and also scans the Subversion repository.
The Anti Virus scanner will delete the affected revision or move it to quarantine. The consequence is a broken repository.
If the revision file is recoverable (from quarantine), how to solve this problem?
I have some goals to achieve:- The AV is not allowed to be disabled or excluded from the directories.
- The virus infected file must not be stored in the repository
- The repository must be consistens and usable.
What is the nicest solution for this little problem?
From the FAQ:
There are special cases where you might want to destroy all evidence of a file or commit. (Perhaps somebody accidentally committed a confidential document.) This isn't so easy, because Subversion is deliberately designed to never lose information. Revisions are immutable trees which build upon one another. Removing a revision from history would cause a domino effect, creating chaos in all subsequent revisions and possibly invalidating all working copies.
The project has plans, however, to someday implement an svnadmin obliterate command which would accomplish the task of permanently deleting information. (See issue 516.)
In the meantime, your only recourse is to svnadmin dump your repository, then pipe the dumpfile through svndumpfilter (excluding the bad path) into an svnadmin load command. See chapter 5 of the Subversion book for details about this.
The easiest? Restore from a backup from before the commit with the virus...
If you created the repository in file mode (single repo file per source file) then you can probably fix/edit/replace the infected file.
If you created it in DB mode then it's harder - you can svndump then svncreate a new repo, but it's probably easier to exclude the SVN repository from the virus scan
"The AV is not allowed to be disabled or excluded from the directories."
Fight with your IT Department to add your repos in exclusions. BEST, if the AV supports "Informative only mode", make it work with your repos in informative only mode. Most times, such old viruses are just false positives. Add precommit hooks to virus-scan any file and reject the commit if it is flagged by a virus.
If the AV reports old file being infected, check if not false positive. If it's not, and file is really old virus, just commit its deletion and ignore its existence in your history altogether.
精彩评论