Last Updated: 21 Nov 2020
Locking a Branch in Subversion
If you branch your code in your subversion repository, you may eventually want to 'lock' or 'freeze' one of the branches you've created, so that developers can't continue to check in code in that branch.
Subversion has a nice lock command, but it doesn't do what we want. It's designed only to indicate to other svn users that a particular developer is working on a file, and as such you can only lock files and anyone can 'steal' a lock.
Instead, the best way to 'lock' a branch is to use path-based access control to make part of your repository read-only. The subversion manual has all the gory details, but briefly, you'll want to:
- Setup an AuthZ rules file
- Add rules to that file to lock certain branches or tags
Here's how you do it.
Setup a AuthZ Rules File
You need to setup a configuration file to hold the rules governing what part of your repo should be locked.
If you're using apache to serve your subversion repos, you'll want to use the
AuthzSVNAccessFile directive to point to your file. Be sure you're loading the
mod_authz_svn module in your main
Here's roughly what your virtual host should look like. Note that I've also included
<VirtualHost 10.0.0.10:80> ServerName svn.mydomain.com <Location /> DAV svn SVNParentPath /var/svn/repos AuthType Basic AuthName "My SVN Repo" AuthUserFile /path/to/.htaccess/file Require valid-user AuthzSVNAccessFile /path/to/.authz/file </Location> ... </VirtualHost>
I usually put the
.authz file in the same place as my
.htaccess file, so I can easily edit both at once.
If you're using
svnserve, you need to make the
authz-db variable (within
svnserve.conf) point to your rules file.
Setup the Rules
Once you have the
.authz file setup, you'll need to put some rules in. First, you'll probably want to allow anyone who's authenticated full access to your repo (*). Then, you'll want to make certain paths read only. Your authz file might look like this:
# Allow full access to all repos [/] * = rw # Lock MyRepo Branch_A # Note that you only need the MyRepo: prefix if you have more than one repo [MyRepo:/branches/branch_a] * = r # Lock all tags in all repos; only allow 'david' to create new tags. [/tags] * = r david = rw
(*) Important Note: I'm assuming here that you're a private developer who does not want to make her repository available to the world. Your users will authenticate via either
svnserve or apache's
.htaccess mechanism, and only after that will they have full access to the repo. If that's not your situation, you may want to adjust your setup.