bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: backwards compatibility problem with .cvspass?

From: Karl Fogel
Subject: Re: backwards compatibility problem with .cvspass?
Date: 26 Dec 2000 15:09:53 -0600 
"Derek R. Price" <derek.price@openavenue.com> writes:
> >    * A password and a port number may now be specified in CVSROOT for
> >    pserver connections.  The new format is:
> >
> >       :pserver:[[user][:password]@]host[:[port]]/path
> >
> >    Note that passwords specified in a checkout command will be saved
> >    in the clear in the CVS/Root file in each created directory, so
> >    this is not recommended, except perhaps when accessing anonymous
> >    repositories or the like.
> 
> This is the source of your problem.  When _this_ feature went in, I decided
> that since I've seen several emails asking or telling about using
> non-default port numbers over the last few years that I would not assume
> that an entry in .cvspass without a port number meant port 2401.  This
> seemed the lesser of two evils since the people who used to use non-default
> port numbers would have seen an obscure error message (server not
> responding) which may have been hard to debug versus everyone having to
> relogin to each server they use once after seeing an error message they
> should have already been familiar with.

I'm not sure I understand the rationale here.  (Even if I did, the
NEWS entry quoted above is inaccurate -- if the port-number is
optional, as the brackets imply, then there has to be a default, and
2401 would be the clear choice.  So at the very least, this item in
the NEWS file would need some tweaking...)

> The other half of this workaround/fix/upgrade procedure/whatever is that
> whenever you decide you are finished with the old versions of CVS (pre
> 1.11.0.1) you can use them to 'cvs logout' the old entries or delete the
> old lines from .cvspass.
>
> [...]
>
> So, yes and yes.  I'll annotate the port entry in NEWS.  Please feel free
> to argue if you think asking for the extra login is not the lesser of two
> evils.

Ah, I see you agree about NEWS.  Cool.  But let me take you up on your
second offer... :-)

I think asking for an extra login is extremely bad, especially
compared to the alternative, which will hardly affect anyone.

What are the two evils here?

   1. People have to re-login to a bunch of servers.  This is *very*
      difficult -- most people don't remember their passwords on CVS
      servers, since they only typed it once the first time the used a
      given server.  I have 130 (yes, you read that right) entries in
      my .cvspass file; are you telling me, and users like me, that we
      have to log into *all* of those again??  When the necessary
      information is already _there_?  Yeeesh! :-)

      Yes, I can write a sed script to go fix up my .cvspass all at
      once.  But most people never look at their .cvspass files, and
      shouldn't have to.  It always worked before, why should upgrading
      CVS change that?

   2. Some rare people get an error message because defaulting to 2401
      doesn't work for them.  (The error message can state the port
      number used, by the way, there's no reason for the msg to be
      "obscure").

      I'm not sure what you've seen over the past few years to
      indicate otherwise, but I don't see how most people could have
      been working with any port *but* 2401 anyway, for the most part,
      since the variable-port feature wasn't available before.  They'd
      have had to recompile their CVS's with some other port number
      hardcoded, to get any other behavior!  Granted, I've done that
      before, and so have you no doubt, but surely 99% of CVS users
      never used anything but 2401 with pserver.

It seems very clear to me that #1 is the *much* harsher penalty.  When
the choice is between a change that will inconvenience everyone, vs a
change that will inconvenience only a very few, I'm baffled as to how
we could choose the former.

I don't recall seeing discussion about this on this list; I'm not
accusing you of not having had the discussion, I'm just explaining why
I didn't protest earlier.  If I had understood what you meant before,
you bet I would have said something! :-) 

I do remember some emails about the variable-port change, but
(honestly) I couldn't believe that anyone was seriously proposing #1
as being better, and thus misread the proposals and simply assumed we
were going with #2.

If we don't fix this, then users are going to curse us vehemently at
the next release, and we'll deserve it, too.

Seriously, imagine it: every *single* pserver user getting this
obscure error message (which doesn't even mention port numbers!)

   cvs update: authorization failed: server blah.blah.com rejected \
   access to /wherever/repos for user jrandom
   cvs update: used empty password; try "cvs login" with a real password

for every different repository they use, simply because we weren't
willing to assume 2401 as a default port number... even though for
virtually all of the users, that assumption would have been correct?

You've got to be kidding me.

-K
reply via email to
[Prev in Thread] Current Thread [Next in Thread]