[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FAQ-O-Matic pserver protocol

From: Guus Leeuw jr.
Subject: RE: FAQ-O-Matic pserver protocol
Date: Sun, 13 Feb 2005 09:50:43 +0100

> -----Original Message-----
> From: address@hidden [mailto:address@hidden On Behalf Of Mark D.
> Baushke
> Sent: dimanche 13 février 2005 09:39
> To: Guus Leeuw jr.
> Cc: address@hidden
> Subject: Re: FAQ-O-Matic pserver protocol
> Hash: SHA1
> Guus Leeuw jr. <address@hidden> writes:
> > Hence I am looking at the pserver protocol, so I figured, it is a FAQ.
> > Now depending how you interpret FAQ (asked or answered), I was right ;)
> >
> > It's apparently asked often, but
> > gives no answer :(
> Search the info-cvs archives and you might have more luck. The short
> answer is don't use it. Move along, this is not the protocol you are
> looking for...

The "hence" above was indicating that I am writing a passwd command for the
pserver stuff, as Jim suggested would be a nice feature...
On dev, so far, no hard statement against doing this...
If you think, I shouldn't be doing this, please state so, and I'll back out
doing more important stuff...

> > Can anybody tell me where the doc is? Can't seem to find it in the
> > cvs1-12-11 branch...
> For HTML Cederqvist manual for cvs 1.12.11, look here:
> For the client/server protocol, look here:
> You should be able to find a doc/ file and a
> doc/ -- these forms of the document describe both the
> pserver framework and protocol (as well as the kserver and server
> protocols). If you plan to read the document closely and you actually
> care about security, issue ear-plugs to your neighbors so that your
> screams will not distrub them too much.

OK, thanks ;)

> In general, my personal opinion is that the pserver and kserver
> protocols should be removed from the cvs sources completely. It is never
> secure to run the cvs executable as root which is required to use the
> pserver protocol. The cvs sources were never designed with security in
> mind and running them as root is idiocy. (Just say no.)

You're kidding right? Root is a good user(TM), no?
> If you are using pserver, I hope it is on an isolated LAN with lots of
> firewalls and does not control any sources you really need to be kept
> secure. I also hope that you are making plans to transition away from
> pserver usage as fast as possible.

I use it since a couple of years on a LAN that has merely an ADSL router
listening, and a linux based firewall blocking... in between the LAN and the
server is still an SMC Barricade allowing nothing from the outside to create
a network session... Guess this is triple secure... I get a lot of probes,
but they don't make it through the server... So that should be cool...

> Summary: Friends don't let friends deploy cvs pserver configurations...

Sure enough... What about the people that do use pserver, and want their
users to change their passwords from CVSROOT/passwd? No change today... Not
securely, that is. So we might consider implementing it, no? Simply sending
a scrambled password over the *LAN* can't hurt too much... For WAN, pserver
is quite different ;)

Anyways... Development stopped until verdict is received ;)


No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 10/02/2005

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 10/02/2005

reply via email to

[Prev in Thread] Current Thread [Next in Thread]