|
From: | Derek Robert Price |
Subject: | Re: [PATCH] cvs security versus Checkin.prog and Update.prog |
Date: | Thu, 27 Mar 2003 23:45:26 -0500 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 |
Mike Sutton wrote:
See like a reasonable approach to me. On 03/26/03 19:14:18, Mark D. Baushke wrote:Hi Folks, I was just revisiting the thread about the CVS/Checkin.prog and CVS/Update.prog for security. The two relevant threads seem to be: http://www.mail-archive.com/bug-cvs@gnu.org/msg00384.html and http://mail.gnu.org/archive/html/bug-cvs/2003-03/msg00107.html I have not really finished writing updates for the documentation of this proposed patch yet, but I thought I would float the idea to see what folks think of it. This patch the choice to be up to a given repository manager with the default being to be more secure.
Actually, I floated the idea of removing the functionality entirely by the dev list some weeks ago and didn't receive any objections. Karl Fogel even piped up to second the motion. My second choice was continuing to support the features via CVSROOT/config options, but I'd still much rather remove the functionality entirely. I hear little enough about it to think that noone is really using it and there are other, more secure ways of hooking into the commit processes.
I told the CERT vulnerability tracking folks <http://www.cert.org> we'd do something by the next release but I hadn't gotten around to it yet.
Derek -- *8^) Email: derek@ximbiot.com Get CVS support at <http://ximbiot.com>! -- Tar is not a plaything. Tar is not a plaything. Tar is not a plaything... - Bart Simpson on chalkboard, _The Simpsons_
[Prev in Thread] | Current Thread | [Next in Thread] |