info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS access control


From: yap_noel
Subject: Re: CVS access control
Date: Mon, 1 Oct 2001 10:28:23 -0400

>The only secure banking system I've seen used such a device for creating
>one-time codes, but it wouldn't rely on a session, it would require the
user
>to enter the code for _each_ transaction that was to be performed.  That's
>quite secure.  But then again, what's the point, when the calculator and
the
>PIN is sent by regular mail service?  Anybody snooping by my the mailbox
>every day before I get to it might easily steal both the generator and the
>PIN.

IMHO, key distribution is the hardest part in the security system to
strengthen (even SSH can be used with a weak distribution mechanism).
Since anyone who wants to subvert the key distribution must always watch
the distribution mechanism, I think it's harder to break than a system that
distributes the key all the time.

>> > I can hardly argue that any of those things are important.  Not for
me, at
>> > least.  I can't tell for others.
>>
>> I'm not sure ACLs on branches are meaningful at all to anyone, at least
>> not in the bigger picture.
>
>Well, at least I've been in a situation where it could be meaningful - we
>wanted a lot of independent developers to have the right to commit to an
>experimental branch, while the stable branch only should be touched by
some
>highly trusted person.  Thus we could recommend anyone to use the stable
>branch.

Like I said before, this should be done by extending commitinfo to pass
branch info to the commitinfo scripts.

Noel



This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan Chase & Co., its
subsidiaries and affiliates.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]