Re: [Cvs-dev] cvs features for gnu savannah

[Bob Proulx]

Thorsten Glaser wrote:
> Bob Proulx dixit:
> > What do you recommend for anonymous checkouts?  Is there an
> > alternative?
> 
> Why yes, anoncvs of course, pioneered in 1999 by OpenBSD:
> http://www.openbsd.org/papers/anoncvs-paper.pdf
> https://www.openbsd.org/papers/anoncvs-slides.pdf
> 
> In MirBSD, we use the same mechanism, although the faux login
> shell used allows both cvs server and rsync, so people can also
> download the entire repository and use it (save for checkin) in
> offline mode.

That looks very interesting.  I only very briefly skimmed the above
and I wonder how well that will work for MS-Windows users of cvs.

However it also addresses a different issue point.  It is an encrypted
transport while the straight pserver is not.  There are at least two
camps on this.  One worries about clients with limited capabilities
and resources.  We want to continue to provide for them.  The other
camp is worried about man-in-the-middle attacks against unencrypted
transports being able to inject malicious bytes into the transaction.
That camp would like to shutdown unencrypted transports to prevent the
possibility of such malicious injection.  And at least another camp
will want this to be the choice of individual projects to decide for
themselves.

> Of course, you can continue running pserver, although, please, in
> read-only mode.

Savannah has always run pserver in read-only mode and as a uniquely
different user id with no file permissions.

> > because no one else would know of the locally patched version.  If
> > these patches were in an official release then we wouldn't need to be
> > maintaining our own source fork.  That way Savannah would get the
> 
> True, although for that point it doesn’t matter whether “in an official
> release” means upstream or distribution.

Agreed.  Either way will work nicely for Savannah.  Although upstream
is obviously beneficial to the larger community.

Bob