We have an SVN setup and there are some things we dislike about it and some things we like about it. We want to move to git, but we're not sure exactly what setup will work for us. We're currently using SVN (w/ Authz) + Apache (w/ WebDAV & LDAP).

  1. Hook to update the live site [like]
  2. Live site update requires no additional interaction [like]
  3. Live site update uses stored password [dislike]
  4. Commits require centralized-password authentication [like]
  5. Commit from live site changes stored credentials [dislike]
  6. Access control (per repository) for commits [like]

Point 5 above is the one that keeps stuffing us up. Someone makes a commit from the live site and then the hook breaks.

We're thinking to use gitosis/gitolite to get access control, but as they use ssh keys, we won't be requiring passwords. We're also thinking to use git-http-backend, and use Apache for authentication, but then do we lose access control? Can the live site be automatically updated from a hook if Apache requires authentication? Can we combine git-http-backend and gitosis/gitolite somehow? Can we store http credentials with git?

  • 1,827
  • 3
  • 16
  • 27
  • Just fix your mentality and use SVN in the right way - if you have troubles with SVN, you'll **get extremely more headache with Git** – Lazy Badger Mar 22 '12 at 07:08
  • 2
    Re: 3 and 5: **NEVER USE WORKING COPY AS LIVE SITE!!!** -- SVN hooks (namely post-commit hook) and/or `svn export` are better/safer ways to update your live site. – Lazy Badger Mar 22 '12 at 07:12
  • Some people do this and then we end up with 100's of commits where people fix typos. Or worse, they break the live site and don't even notice. – Jayen Mar 22 '12 at 22:59
  • 1
    Monkey with a grenade **should not have access to SVN**. Using brain and hands smart admin can write intelligent hooks. And **testing code before deploy** will eliminate breaking site. Fair price for security, freedom from the danger of a stolen developer's login and as result - code, and ruined repo – Lazy Badger Mar 22 '12 at 23:16
  • Then you should think about testing environment for developers. You can just prepare a (for example Virtualbox) virtual machine with everything up'n'running and give it to developers. They then should just point VirtualBox shared folder to the project root on their host box. – jollyroger Mar 22 '12 at 23:22
  • The repo won't be ruined by the developers, since you can always revert in svn. The hooks are accessible only by the administrator. – Jayen Mar 23 '12 at 01:17
  • We have a testing environment, but that doesn't stop people from making errors in the production environment, unfortunately. – Jayen Mar 23 '12 at 01:17

2 Answers2


If you still prefer using svn up for live site, read svn help up carefully and pay attention on some options in order to handle credential in the Smart Way

Global options:
  --username ARG           : specify a username ARG
  --password ARG           : specify a password ARG
  --no-auth-cache          : do not cache authentication tokens
Lazy Badger
  • 3,067
  • 14
  • 13

We're also thinking to use git-http-backend, and use Apache for authentication, but then do we lose access control?

No, you can setup authentication with ldap almost exactly how you've have used it for SVN. Gitweb and git-http-backend use mod_ldap just like SVN for auth purposes.

Can the live site be automatically updated from a hook if Apache requires authentication?

Git comes with gitweb by default. It's prodominately what's used out there for an online browser for your source code base. You can configure it behind Apache with mod_ldap for auth purposes just like git-http-backend. No hook is required for updating the online browser and repositories listed within. This is all maintained by the cgi, git-http-backend.

Can we combine git-http-backend and gitosis/gitolite somehow?

gitolite is what you want:


Gitosis is basically depricated:

Ubuntu-server: gitosis user naming convention

Personally, we just use LDAP for user authorization and authentication. You don't really need gitolite for user management if you're using LDAP. You can use any general LDAP user management tool for this. Most linux distributions come with a variety of UI tools for managing openLDAP. If you windows, just use active directory.

Both the default approach (git, gitweb, git-http-backend, LDAP) and gitolite support the following:

  • they are not "real" users, as in logins on the physical box hosting (according to how you use LDAP)
  • they do not get shell access (according to how you use LDAP)
  • control access to many git repositories
  • read access controlled at the repo level
  • can be installed without root access, assuming git and perl are already installed authentication is most commonly done using sshd, but you can also use httpd if you prefer (this may require root access).

However, if you want that fined-grained user management without LDAP and fit the following criteria, then gitolite might be a better solution:

  • use a single unix user ("real" user) on the server
  • provide access to many gitolite users
  • write access controlled at the branch/tag/file/directory level, including who can rewind, create, and delete branches/tags

From http://sitaramc.github.com/gitolite/index.html#gl_what

Can we store http credentials with git?

Yes, you can store/assign users using git config:

git config --global user.name "Foo Bar"
git config --global user.email "your@mail.address.com"
git config --global user.password "yourpassword"
git config --global github.user "yourusername"
git config --global github.password "yourpassword"

Although, if you use it with SSH, make sure you're using CA certificates and not a self-signed. Git has this weird hack, sslVerify=false, to make it work with self-signed certs, which kindof seems to defeat the purpose of using certs.

When you go to migrate code from svn to git, you will need a good import tool. I couldn't find any that worked well for large repositories so I wrote my own. Feel free to experiment if you encounter issues with git-svn:


Jason Huntley
  • 1,253
  • 3
  • 10
  • 22
  • We're using Authz files for SVN access control, not LDAP groups. Can we use that with git-http-backend? Is the syntax the same? – Jayen Mar 22 '12 at 23:02
  • Some addition: I wrote a hook to update live server some time ago, this might be handy to achieve point (2): https://github.com/jollyroger/vcs-hooks/tree/master/git/server-sync. One more addition for SSH and LDAP: you can store SSH keys in LDAP using OpenSSH with LPK patch: http://code.google.com/p/openssh-lpk/ – jollyroger Mar 22 '12 at 23:17
  • Our hook is just `ssh host svn up` and would become `ssh host git pull`. We don't have write access to the LDAP server. This is an enterprise environment where the admins for the "live site" and the admins for LDAP are a dysfunctional family. – Jayen Mar 23 '12 at 01:21
  • Jayen, you could setup something hybrid, use Apache & LDAP for general user authentication and deploy a hook to add additional ACLs/group authorization. There are several scripts out there for doing this. One specifically, update-paranoid: http://git.kernel.org/?p=git/git.git;a=blob;f=contrib/hooks/update-paranoid;hb=master . – Jason Huntley Mar 23 '12 at 02:44