[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: server->pserver proxy?

From: Gary Funck
Subject: Re: server->pserver proxy?
Date: Thu, 24 Jan 2008 12:55:47 -0800
User-agent: Mutt/1.5.17 (2007-11-01)

On 01/24/08 15:28:55, Todd Denniston wrote:
>> I prefer something like the pserver protocol because it has
>> per repository access control that is separate from the system's
>> idea of users and groups, and it makes it possible to manage
>> CVS access using CVS-related files/tools only.
> Which if I recall correctly folks over the years have indicated are weak at 
> best.
> And you are thinking about allowing read access to the _REAL_ repository 
> from _anonymous_ users using pserver????

Actually, I'm reconsidering that policy.  I'm gravitating towards
rsyncinng a read-only copy (of the public source code tree) over
to the firewalled server, and letting anoncvs have at it.

> At least with ssh you might be able (using ssh restrictions) to restrict 
> them to only being able to execute cvs.

Yup.  We already do that.

>>> If you need to get fancier then use the cvsacls script from the contrib
>>> directory.
>> I looked at that and a few other add ons.  Seemed somewhat clunky
>> and complex.
> because CVS (including the pserver portion) was never designed as a secure 
> application, the OS was to take care of that.

Thanks for the pointer.  An interesting thread.  The author is clearly
against wide use of pserver for a number of persuasive reasons.
Perhaps, we'll just gravitate back to our curret :ext:server:+ssh
approach and learn to better appreciate its virtues.

> CVSNT _may_ be a bit better about the security, because they have been 
> working on several methods for authentication.

If it requires its own clients that won't work well for us.  The fact
that we've stayed with cvs is mainly because of its ubqiquity.

  - Gary

reply via email to

[Prev in Thread] Current Thread [Next in Thread]