Re: set 1 file in repository to be read only

[Mark D. Baushke]

You may find the advisory locks of using 

    cvs watch filename

will do what you need. It requires that a user go thru a bit more effort
if they want to modify a file in their existing sandbox.

By default a file that is watched will be read-only on checkout. It is
not that much extra protection. If a user really wanted to modify it
using cvs semantics, the 'cvs edit filename' command would change it
to a read-write file and notify any watcher of the file that the user
intended to update the file.

It is not strict locking, but if you really do trust your staff, then it
might be enough protection to keep them honest.

        Enjoy!
        -- Mark

Tumy, Brad <address@hidden> writes:

> Mark,
> 
> I appreciate your help with this but your last paragraph is way off
> base. It's not a matter of trust...if it was we wouldn't need file
> system permissions at all. It's a matter of protecting the users from
> accidentally committing the entire structure and overwriting this
> particular file. It's a matter of having a good security policy and
> good development policy in place and protecting files that shouldn't
> be over-written. Actually I have a very high opinion of my staff and
> their capabilities. I am trying to create an environment where they
> can complete their work successfully and not have to continuously
> worry about overwriting files that shouldn't be overwritten.
> 
> I realize that anyone can log directly into the system and chmod the
> file and do what ever they want to it...I am not trying to prevent
> that. For that matter everyone on this team has the root password so
> they would be able to do that. I am trying to restrict writes to this
> file so that it's not over written "accidentally" through CVS.
> 
> In regards to not using CVS if it can't do this one particular
> function...If I followed that policy I probably wouldn't be able to
> use any tool because none is perfect and none would have 100% of the
> capabilities that everyone needs. CVS is a great tool and you can't
> beat the price. CVS is just one small part of our entire development
> process, I don't expect it to be able to do absolutely everything and
> make me a cup of coffee. I realize that for some things I need to go
> outside of the CM tool...that's why I originally asked if setting the
> permissions to read only through the OS would prevent writes through
> CVS.
> 
> Anyway...thanks for your insight on comittinfo.
> 
> Brad
> 
> 
> 
> -----Original Message-----
> From: Mark D. Baushke [mailto:address@hidden
> Sent: Friday, June 06, 2003 4:46 PM
> To: Tumy, Brad
> Cc: address@hidden
> Subject: Re: set 1 file in repository to be read only 
> 
> 
> Tumy, Brad <address@hidden> writes:
> 
> > >This is sort of an abuse of the cvs system which is intended to allow
> > >users to make changes to files they checkout of the repository...
> > 
> > Is there a better to do this?
> 
> I am not able to think of any better way to do this.
> 
> > I want each developer to be able to have the entire project on their local
> > machines so that they can test from their local install of Apache and Cold
> > Fusion.  I don't want them to be able to overwrite this particular file
> > though.
> 
> So, you want them to checkout the entire module or set of modules. Fine,
> they can do that using cvs. If you want them to not be able to commit a
> particular file, you need to instrument it with the hooks available. If
> the cvs tool does not do what you need, then do not use it.
> 
> In any case, your developers could make local modifications of the file
> that they do not checking to the system. Nothing prevents that at all.
> 
> Do you really have such a low opinion of your staff? Perhaps it is time
> to either encourage management to hire new staff (may folks seem to be
> looking for jobs in the current market), or perhaps you should consider
> finding a place of employement where you can trust the staff around you
> to do the right thing.
> 
>       Good luck,
>       -- Mark
> 
> > Thanks,
> > Brad
> > 
> > -----Original Message-----
> > From: Mark D. Baushke [mailto:address@hidden
> > Sent: Friday, June 06, 2003 4:36 PM
> > To: Tumy, Brad
> > Cc: address@hidden
> > Subject: Re: set 1 file in repository to be read only 
> > 
> > 
> > Tumy, Brad <address@hidden> writes:
> > 
> > > So what it appears I would need to do using this method is have some
> sort
> > of
> > > regular expression search for the file name that is restricted.  If this
> > > file name is found then it should return a non-zero exit status and the
> > > commit on that file will fail.
> > > 
> > > Sounds complicated actually...maybe I am missing something.
> > > 
> > > Easier way?
> > 
> > The comminfo script is called on a particular directory given as the
> > pattern, it is not file-based. The arguments typically passed to the
> > script will include the name of the file and the directory in which it
> > resides. Check to see if the directory matches and the name of the file
> > matches and exit with a non-zero return code and the commit will not be
> > allowed.
> > 
> > This is sort of an abuse of the cvs system which is intended to allow
> > users to make changes to files they checkout of the repository...
> > 
> >     Good luck,
> >     -- Mark
> >  
> > > Thanks.
> > > Brad
> > > 
> > > -----Original Message-----
> > > From: Mark D. Baushke [mailto:address@hidden
> > > Sent: Friday, June 06, 2003 4:03 PM
> > > To: Tumy, Brad
> > > Cc: address@hidden
> > > Subject: Re: set 1 file in repository to be read only 
> > > 
> > > 
> > > Tumy, Brad <address@hidden> writes:
> > > 
> > > > This question is more for a sanity check then anything else.
> > > > 
> > > > If I want one specific file in the repository to be read-only (to all
> > > > developers) then I just set the permissions on that file (through OS
> > > > [Solaris]) to be read-only ...correct? 
> > > 
> > > No.
> > >  
> > > > We are developing a web-application in Cold Fusion and I want to lock
> > down
> > > > the top Application.cfm file so that developers can check it out and
> > > include
> > > > it in their working directory but not be able to commit it back to the
> > > > repository.
> > > 
> > > Use the commitinfo hook and have it know that particular file should
> > > never be allowed to be committed by normal developers. See the URL:
> > > http://www.cvshome.org/docs/manual/cvs-1.12.1/cvs_18.html#SEC167 for
> > > more information.
> > > 
> > >   -- Mark