info-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FAQ-O-Matic pserver protocol

From: Mark D. Baushke
Subject: Re: FAQ-O-Matic pserver protocol
Date: Sun, 13 Feb 2005 00:38:39 -0800 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guus Leeuw jr. <address@hidden> writes:

> Hence I am looking at the pserver protocol, so I figured, it is a FAQ.
> Now depending how you interpret FAQ (asked or answered), I was right ;)
> 
> It's apparently asked often, but
> https://ccvs.cvshome.org/fom//cache/446.html gives no answer :(

Search the info-cvs archives and you might have more luck. The short
answer is don't use it. Move along, this is not the protocol you are
looking for...

> 
> Can anybody tell me where the doc is? Can't seem to find it in the
> cvs1-12-11 branch...

For HTML Cederqvist manual for cvs 1.12.11, look here:
https://www.cvshome.org/docs/manual/cvs-1.12.11/cvs.html

For the client/server protocol, look here:
https://ccvs.cvshome.org/source/browse/ccvs/doc/cvsclient.texi

You should be able to find a doc/cvsclient.info file and a
doc/cvsclient.ps -- these forms of the document describe both the
pserver framework and protocol (as well as the kserver and server
protocols). If you plan to read the document closely and you actually
care about security, issue ear-plugs to your neighbors so that your
screams will not distrub them too much.

In general, my personal opinion is that the pserver and kserver
protocols should be removed from the cvs sources completely. It is never
secure to run the cvs executable as root which is required to use the
pserver protocol. The cvs sources were never designed with security in
mind and running them as root is idiocy. (Just say no.)

You really want to consider moving to :ext: using the SSH transport.
This allows end-to-end security and does not provide as much room for
privilege escallation to arise.

If you feel you must use pserver and are not yet using it, you should
probably consider using some other source control system first.

If you are using pserver, I hope it is on an isolated LAN with lots of
firewalls and does not control any sources you really need to be kept
secure. I also hope that you are making plans to transition away from
pserver usage as fast as possible.

Summary: Friends don't let friends deploy cvs pserver configurations...

        -- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFCDxIP3x41pRYZE/gRAiwuAJ9ftpS2nUin7Elfdk+BtNQxsBeJLACfd46W
Cd5mD5+/FsrE+apvSb4R7zg=
=CUO0
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]