Q: howto require per-branch authentication to commit or, push changes

[Mark Hammond]

On 5/04/2009 2:50 AM, Adrian Wilkins wrote:
>> A lot of Windows shops would probably like to put bzr behind IIS and
>> configure NTLM or Kerberos security to control access giving them
>> password-less authentication and centralized user management.
>
> I'm using an IIS smart server with Basic authentication. One caveat is
> that certain versions of IIS don't support smart and dumb access at the
> same time without additional effort.

I've got a fair bit of experience with IIS versions 5 and up and have 
never come across this - what problems were they?

> For per-branch authentication, you can write permissions into your WSGI
> handler (see http://bazaar-vcs.org/ServerGuide/IIS) ; this presumably
> also works on Apache using the same WSGI technique.
>
> You could also use Apache on Windows, which is paradoxically easier to
> get SSPI working on because the mod_sspi module offers Basic as well as
> NTLM.
>
> If bzr supported it, I'd love client SSL certificate auth, something
> that both Apache and IIS support.
>
> I've also successfully configured SSH on windows (using a package of a
> Cygwin OpenSSH build).

While the above are all likely interesting to different people, I doubt 
they will meet the requirements of many "Windows shops" (as opposed to 
"shops with Windows boxes") - such shops are unlikely to have ssh 
certificates (as Windows provides an alternative that is easier and 
works better for them), and probably have no idea what WSGI is - 
probably not even what *Python* is.  They likely already have a Windows 
environment that works well for them, doesn't include ssl or apache, and 
they will evaluate how well tools fit their *current* environment, not 
how many options the tool offers to change it.

I'm obviously not trying to suggest anyone must do this, but just 
sharing my experiences of the expectations of such environments.  I've 
spent the last few years working for a company providing paid enhanced 
Windows support and products for Plone and Zope.  While the free 
open-source versions of these products did run on Windows, they simply 
didn't have *enough* Windows support to meet their requirements, and 
didn't mind paying money if it met their needs better.  These 
environments did not *want* Apache, and paid us good money for a proxy 
cache vastly inferior to squid/varnish simply as it ran under IIS (oh - 
and you didn't need a PhD to configure it ;) Of course, bzr may choose 
to explicitly *exclude* such environments from their target user base, 
but I think that would be short-sited - one day these people may become 
*real* programmers <wink>.

Cheers,

Mark