[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ANNOUNCE] cvs-nserver released

From: Frederic Brehm
Subject: Re: [ANNOUNCE] cvs-nserver released
Date: Fri, 15 Jun 2001 12:04:19 -0400

[ On Friday, June 15, 2001 at 00:23:14 (-0700), Gianni Mariani wrote: ]
 Subject: Re: [ANNOUNCE] cvs-nserver released

 cvs-nserver sounds great.

 I'd like to see thin kind of authentication support in the base CVS soon.

At 11:04 -0400 6/15/01, Greg A. Woods wrote:
No, you do not.  You do not want to see ANY kind of authentication or
authorisation support in CVS, EVER.

CVS is NOT a security tool and it was not designed to be secure.

Greg tells you that you do not want what you THINK you want, but he does not tell you what you SHOULD want (probably because he's tired of repeating himself). So, what should you want? Here's a short explanation.

First, a review of one way to run CVS in client/server mode.

  CVS client <-------->RSH client<-------->RSH server<-------->CVS server
            CVS protocol        RSH protocol        CVS protocol

Here's a more secure way

  CVS client <-------->SSH client<-------->SSH server<-------->CVS server
            CVS protocol        SSH protocol        CVS protocol

Here's what you SHOULD want for authentication/security method XXX

  CVS client <-------->XXX client<-------->XXX server<-------->CVS server
            CVS protocol        XXX protocol        CVS protocol

So, all you have to do is to get/buy/create the XXX client/server pair. You don't have to modify CVS and convince the CVS maintainers to add your patches to the distribution (good luck!).

Something like this should probably go into the manual because this is definitely an FAQ. If this were in the manual, then our very own CVS AI robot guy :-) could reply with a URL to the manual section.


Fred Brehm, Sarnoff Corporation, address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]